Story image

Necurs botnet erupts from dormancy to churn out 100,000 spam emails over Easter

05 Apr 2018

One of the world’s largest spam botnets is back in action and this time it is spreading a Trojan downloader that can deliver a number of nasty malware surprises.

Just prior to Easter weekend, the Necurs botnet ramped up its activity by churning out approximately 100,000 emails in a single day. A few days prior, approximately 5000 emails were sent out.

The activity follows what Check Point dubbed a ‘relatively quiet’ month for the botnet.

“The low volumes seen at the earlier date indicate that that may have been an initial test before the main wave emerged.”

The spam emails mimicked purchase orders or document copies – two of the most common malware delivery methods.  The sender’s email address follows a similar pattern and begins with ‘netadmin’, Check Point explains in a blog.

“The emails have an attached archive containing a file with a URL. The URL files communicate with hosts in order to download an additional WSF file containing obfuscated JavaScript. This script is used to retrieve a QuantLoader payload, which, in turn, may download additional executables.”

Check Point notes that the Necurs botnet is notorious for distributing a number of malware families in the past, including both the Locky, Globe and Jaff ransomwares.

Because the Necurs botnet has suddenly engaged in a flurry activity after being dormant, it demonstrates how manware can quickly re-emerge.

“Despite Necurs being well known to the security community, hackers are still enjoying success distributing malware with this highly effective infection vehicle,” Check Point says.

In November last year researchers spotted cybercriminals who were using Necurs to distribute the Scarab ransomware – a relatively new ransomware variant first discovered in June 2017.

Necurs also featured eighth in Check Point’s ‘most wanted’ malware for the month of December 2017.

“Necurs botnet started mass distribution of Scarab during the U.S. Thanksgiving holiday, sending over 12 million emails in a single morning,” Check Point says.

“This reinforces the need for advanced threat prevention technologies and a multi-layered cybersecurity strategy that protects against both previously encountered, established malware families as well as brand new, zero-day threats.”

Check Point’s ThreatCloud intelligence is a collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors.

The ThreatCloud database holds over 250 million addresses analysed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.
Red Box gains compliance boost with new partnership
By partnering with Global Relay, voice platform provider Red Box is improving the security of its offerings for high-value and risk voice data.