SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Necurs botnet erupts from dormancy to churn out 100,000 spam emails over Easter
Thu, 5th Apr 2018
FYI, this story is more than a year old

One of the world's largest spam botnets is back in action and this time it is spreading a Trojan downloader that can deliver a number of nasty malware surprises.

Just prior to Easter weekend, the Necurs botnet ramped up its activity by churning out approximately 100,000 emails in a single day. A few days prior, approximately 5000 emails were sent out.

The activity follows what Check Point dubbed a ‘relatively quiet' month for the botnet.

“The low volumes seen at the earlier date indicate that that may have been an initial test before the main wave emerged.

The spam emails mimicked purchase orders or document copies – two of the most common malware delivery methods.  The sender's email address follows a similar pattern and begins with ‘netadmin', Check Point explains in a blog.

“The emails have an attached archive containing a file with a URL. The URL files communicate with hosts in order to download an additional WSF file containing obfuscated JavaScript. This script is used to retrieve a QuantLoader payload, which, in turn, may download additional executables.

Check Point notes that the Necurs botnet is notorious for distributing a number of malware families in the past, including both the Locky, Globe and Jaff ransomwares.

Because the Necurs botnet has suddenly engaged in a flurry activity after being dormant, it demonstrates how manware can quickly re-emerge.

“Despite Necurs being well known to the security community, hackers are still enjoying success distributing malware with this highly effective infection vehicle,” Check Point says.

In November last year researchers spotted cybercriminals who were using Necurs to distribute the Scarab ransomware – a relatively new ransomware variant first discovered in June 2017.

Necurs also featured eighth in Check Point's ‘most wanted' malware for the month of December 2017.

“Necurs botnet started mass distribution of Scarab during the U.S. Thanksgiving holiday, sending over 12 million emails in a single morning,” Check Point says.

“This reinforces the need for advanced threat prevention technologies and a multi-layered cybersecurity strategy that protects against both previously encountered, established malware families as well as brand new, zero-day threats.

Check Point's ThreatCloud intelligence is a collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors.

The ThreatCloud database holds over 250 million addresses analysed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.