Necurs botnet involved in massive ransomware campaigns at the end of 2017

Haythem Elmir
0 1
Read Time1 Minute, 47 Second

The Necurs botnet made the headlines at year-end sending out tens of millions of spam emails daily as part of massive ransomware campaigns.

Necurs was not active for a long period at the beginning of 2017 and resumed it activity in April.

The Necurs botnet was used in the past months to push many other malware, including Locky, Jaff, GlobeImposter, Dridex , Scarab and the Trickbot.

According to data collected by the experts at AppRiver, between December 19 and December 29, 2017, the Necurs botnet was involved in the distribution of ransomware. Crooks use typical holiday-themed scam emails to distribute both Locky and GlobeImposter, malicious messages used .vbs (Visual Basic Script) or .js (JavaScript) files inside a .7z archive.

necurs botnet xmas 1220_js_eml

Starting on Dec. 19, the Necurs botnet was observed sending tens of millions of spam emails daily to distribute ransomware, the peak was reached on December 20th with over 47 million email (peaking at 5.7 million per hour).

“On Dec. 19, AppRiver’s filters stopped 45,976,814 malicious emails sent by the Necurs botnet.  Maximum traffic for it was a just more than 4.6 million emails per hour. These were all .7z that contained malicious .vbs files leading to an infection.” reads the analysis published by AppRiver.

Necurs botnet xmas

Experts noticed that during the first day operators only used vbs files inside the .7z archive, while the second day they started using also .js files.

“On Dec. 21 and 22, the traffic switched back over to the .js files and began to taper off. We saw 36,290,981 and 29,602,971 messages blocked respectively, for those two days, before the botnet went quiet from Dec. 23-25. Today (Dec. 26), Necurs re-awoke from its slumber for a couple hours then went quiet again.” continues the analysis.

“Hard to say why, however, I would hypothesize the operators may have been testing or monitoring the rate of infections and realized many workers are on vacation.  As of the time this blog was authored we’ve captured the below statistics for today”.

To read the original article:

http://securityaffairs.co/wordpress/67356/malware/necurs-botnet-end-2017.html

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

Former NSA hacker reversed Kaspersky Lab antivirus to compose signatures capable of detecting classified documents

Former NSA hacker, demonstrated how to subvert the Kaspersky Lab antivirus and turn it into a powerful search tool for classified documents. The Kaspersky case demonstrated that security software can be exploited by intelligence agencies as a powerful spy tool. Patrick Wardle, chief research officer at Digita Security and former NSA […]