After a drastic decline in the volume of spam coming from the Necurs spambot observed by Check Point’s research team during March 2018, the infamous botnet is back once again and is spreading QuantLoader, a Trojan downloader which has been used to deliver a range of malware, including ransomware and banking trojans.
Necurs, considered to be the world’s largest spam botnet, has been used to distribute several malware families in the past, such as the Locky and Jaff ransomware in 2016 and 2017.
Just before the Easter weekend, Check Point Threat Intelligence sensors spotted a new wave of Necurs spam, with a peak of around 100,000 emails in just one day (March 30th 2018), following a relatively quiet month. The e-mails pretend to be purchase orders or document copies, to lure the victims to open their attachments which would infect their machines with Quantloader.
The sender’s email address on all these messages follows the same pattern, and starts with ‘netadmin’. The emails have an attached archive containing a file with a URL. The URL files communicate with hosts in order to download an additional WSF file containing obfuscated JavaScript. This script is used to retrieve a QuantLoader payload, which, in turn, may download additional executables.
The re-emergence of the Necurs botnet highlights that while malware may seem to go dormant, it can quickly re-emerge. Despite Necurs being well known to the security community, hackers are still enjoying success distributing malware with this highly effective infection vehicle. This reinforces the need for advanced threat prevention technologies and a multi-layered cybersecurity strategy that protects against both previously encountered, established malware families as well as brand new, zero-day threats.
Check Point’s ThreatCloud intelligence is the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.
www.checkpoint.com/threat-prevention-resources/index.html
[su_box title=”About Check Point” style=”noise” box_color=”#336588″][short_info id=’74105′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.