Necurs’ spam botnet business is doing well as it is seemingly acquiring new customers. The Necurs botnet is the biggest deliverer of spam with 5 to 6 million infected hosts online monthly, and is responsible for the biggest single malware spam campaigns. Its service model provides the whole infection chain: from spam emails with malicious malware downloader attachments, to hosting the payloads on compromised websites.
The Necurs botnet is most renown for distributing the Dridex banking Trojan, Locky ransomware, and “pump-and-dump” penny-stock spam. Since 2016 it has expanded its deliverables beyond these three and have included other families of ransomware, such as GlobeImposter and Jaff, and the banking trojan Trickbot to its customer base, with Locky being its brand-image malware deliverable with multiple malware spam campaigns per week.
This morning at 9AM (Helsinki time, UTC +2) we observed the start of a campaign with malicious .vbs script downloaders compressed with 7zip. The email subject lines are “Scanned from (Lexmark/HP/Canon/Epson)” and the attachment filename is formatted as “image2017-11-23-(7 random digits).7z“.
The final payload (to our surprise) was Scarab ransomware, which we haven’t seen previously delivered in massive spam campaigns. Scarab ransomware is a relatively new ransomware variant first observed last June, and its code is based on the open source “ransomware proof-of-concept” called HiddenTear.
This version doesn’t change the file names, but appends a new file extension to the encrypted files with “.[email@example.com].scarab”, and drops the following ransom note after the encryption:
The spam campaigns from Necurs are following the same format from campaign to campaign, consisting of social engineering subject line themes varying from financial to office utilities, with very minimal text body contents and spiced up usually with malicious attachments, sometimes just URLs. And as the simple social engineering themes are effective, Necurs tends to re-use the spam themes in its campaigns, sometimes within a rather short cycle. In this particular case, the subject lines used in this spam campaign were last seen in a Locky ransomware campaign exactly two weeks ago, the only difference being the extension of the attached downloader.
This has already given Scarab-ransomware a massive popularity bump, according to ransomware submissions ID ransomware.
Necurs now spreading Scarab (https://t.co/M8YD8SS98p).
Let’s see if it will be more successful than Locky in past months…@BleepinComputer @demonslay335
cc @MalwareTechBlog pic.twitter.com/e9rPiem9BX
— MalwareHunterTeam (@malwrhunterteam) November 23, 2017
We’re interested to see the future affiliations of this massive botnet and observe how it’s able to change the trends and popularity of malware types and certain families. In the meanwhile, we’ll keep blocking these threats, keeping our customers safe.
b4a671ec80135bfb1c77f5ed61b8a3c80b2b6e51 7ac23eee5e15226867f5fbcf89f116bb01933227 d31beec9e2c7b312ecedb594f45a9f5174155c68 85dc3a0b833efb1da2efdcd62fab565c44f22718 da1e2542b418c85f4b57164e46e04e344db58ab8 a6f1f2dd63d3247adb66bd1ff479086207bd4d2b 14680c48eec4e1f161db1a4a990bd6833575fc8e af5a64a9a01a9bd6577e8686f79dce45f492152e c527bc757a64e64c89aaf0d9d02b6e97d9e7bb3d 3f51fb51cb1b9907a7438e2cef2e538acda6b9e9 b0af9ed37972aab714a28bc03fa86f4f90858ef5 6fe57cf326fc2434c93ccc0106b7b64ec0300dd7 http://xploramail.com/JHgd476? http://miamirecyclecenters.com/JHgd476? http://hard-grooves.com/JHgd476? http://xploramail.com/JHgd476? http://atlantarecyclingcenters.com/JHgd476? http://pamplonarecados.com/JHgd476? http://hellonwheelsthemovie.com/JHgd476?