Necurs Botnet Rises Again For Easter, Check Point Research Shows

By   ISBuzz Team
Writer , Information Security Buzz | Apr 04, 2018 09:30 am PST

After a drastic decline in the volume of spam coming from the Necurs spambot observed by Check Point’s research team during March 2018, the infamous botnet is back once again and is spreading QuantLoader, a Trojan downloader which has been used to deliver a range of malware, including ransomware and banking trojans.

Necurs, considered to be the world’s largest spam botnet, has been used to distribute several malware families in the past, such as the Locky and Jaff ransomware in 2016 and 2017.

Just before the Easter weekend, Check Point Threat Intelligence sensors spotted a new wave of Necurs spam, with a peak of around 100,000 emails in just one day (March 30th 2018), following a relatively quiet month.  The e-mails pretend to be purchase orders or document copies, to lure the victims to open their attachments which would infect their machines with Quantloader.

The sender’s email address on all these messages follows the same pattern, and starts with ‘netadmin’.  The emails have an attached archive containing a file with a URL. The URL files communicate with hosts in order to download an additional WSF file containing obfuscated JavaScript. This script is used to retrieve a QuantLoader payload, which, in turn, may download additional executables.

The re-emergence of the Necurs botnet highlights that while malware may seem to go dormant, it can quickly re-emerge.  Despite Necurs being well known  to the security community, hackers are still enjoying success distributing malware with this highly effective infection vehicle. This reinforces the need for advanced threat prevention technologies and a multi-layered cybersecurity strategy that protects against both previously encountered, established malware families as well as brand new, zero-day threats.

Check Point’s ThreatCloud intelligence is the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

[su_box title=”About Check Point” style=”noise” box_color=”#336588″][short_info id=’74105′ desc=”true” all=”false”][/su_box]

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x