Necurs botnet launches massive 47 million emails per day campaign

itman · Dec 28, 2017

The Necurs botnet continued to launch massive global ransomware attacks through the Holiday Season with researchers stopping as many as 47 million emails per day.

Threat actors behind the attacks continue to distribute Lock and GlobeImposter ransomware preferring to use either a malicious .vbs (visual basic script) or .js (javascript) file located inside a .7z (seven-zip archive) to pull down the ransomware payload, according to a Dec. 26 blog post.
Click to expand...

https://www.scmagazine.com/necurs-botnet-launched-massive-holiday-campaign/article/733650/

guest · Apr 27, 2018

World's Largest Spam Botnet Finds a New Way to Avoid Detection... For Now
April 27, 2018
https://www.bleepingcomputer.com/ne...t-finds-a-new-way-to-avoid-detection-for-now/

Necurs, the world's largest spam botnet, with millions of infected computers under its control, has updated its arsenal and is currently utilizing a new technique to infect victims.
This new technique consists of sending an email to a potential victim containing an archive file, which unzips to a file with the extension of .URL. This is a typical Windows shortcut file that opens a web page directly into a browser, instead of a location on disk.
Necurs dropping Quant Loader via .URL shortcut files
For this particular spam run, Necurs had been infecting victims with Quant Loader, a run-of-the-mill and nothing-special malware family that is intended only to gain boot persistence and download another strain of more potent malware down the road.

While this technique is most likely not new entirely, as crooks have abused .URL files in the past, it is new for Necurs. What makes this technique stand out is the simplified infection chain, which now relies only on delivering a zipped .URL shortcut file.
New technique evades email malware scanners
The purpose of this much simpler routine is to avoid malware scanners that analyze emails, looking for malicious links or boobytrapped attachments. Such solutions work on preset rules, many of which have been set up by security researchers based on previously observed malicious patterns.
Click to expand...

Minimalist · Jun 9, 2018

Creative Spam Thinks Outside the Macro with .IQY Attachments

The Necurs botnet is driving a fresh spam campaign that uses Excel Web Query (.IQY) file attachments to skim under the antivirus radar. If successful, the attack ultimately delivers the remote access trojan (RAT) known as FlawedAmmyy.
Click to expand...

https://threatpost.com/creative-spam-thinks-outside-the-macro-with-iqy-attachments

itman · Jun 9, 2018

Minimalist said: ↑

Creative Spam Thinks Outside the Macro with .IQY Attachments
Click to expand...

I was reading about this yesterday on Threatpost. I guess if you're "severely visually impared" and your sys admin hasn't fully locked down the following, you could get nailed by this:

Mitigation

Barkly pointed out that as long as Microsoft Office is configured to block external content (which is the default), when Excel launches users will be presented with a warning prompt, and users must actively choose to enable the macros:

Even if a user clicks “yes,” another prompt shows up:
Click to expand...

itman · Jun 28, 2018

Threat actors behind Necurs rolling out new abilities on a monthly basis

And starting in June Trend noticed the .NET spamming module being spread that is capable of stealing emails and credentials. Other features include sending spam while logged in to stolen email accounts and access a victim's contact list stored in email clients and the email addresses with which a victim has previously corresponded. By using a method using the malicious actors are able to use legitimate, whitelisted accounts thus avoiding IP blocking security systems.
Click to expand...

https://www.scmagazine.com/threat-a...-abilities-on-a-monthly-basis/article/776870/

guest · Aug 16, 2018

Necurs Targeting Banks with PUB File that Drops FlawedAmmyy
August 15, 2018
https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/

Cofense™ Research reports that the Necurs botnet began a new campaign at approximately 7:30 EST on Aug 15, one appearing to be highly targeted at the banking industry. So far, Cofense has seen over 2,700 bank domains targeted as recipients.

What stood out today is what changed. Necurs for months has been sending a seemingly never-ending stream of typical spam campaigns. Today at 7:30am EST we noticed a new file extension attached to its phishing campaigns: .PUB, which belongs to Microsoft Publisher. Like Word and Excel, Publisher has the ability to embed macros. So just when you are feeling confident about a layered defense protecting you from Malicious Word docs, Necurs adapts and throws you a curveball.

[...] The final payload for this campaign is the FlawedAmmyy remote access trojan. FlawedAmmyy is based on the leaked source code for Ammyy Admin. This tool provides full remote control of the compromised host leading to file and credential theft as well as serving as a beachhead for any further lateral movement within the organization.
Click to expand...

guest · Sep 7, 2018

Threat Actors Eyeing IQY Files To Peddle Malspam
The Necurs Botnet, DarkHydrus and other threat actors are turning to the inconspicuous files.
September 7, 2018
https://threatpost.com/threat-actors-eyeing-iqy-files-to-peddle-malspam/137279/

More threat actors are pushing weaponized Excel web query (IQY) files to deliver malicious code – as seen in recent campaigns by several major malspam distributors.

Researchers at IBM X-Force this week disclosed that both the Necurs Botnet, as well as DarkHydrus and the threat actor behind the Marap downloader, have all been observed utilizing weaponized IQY file attachments to deliver malware.

“This type of file attachment is relatively unusual and not commonly seen attached to emails, and that is why it can be interesting to an attacker,” Scott O’Neill, security researcher with X-Force, said this week in a post. “Attackers constantly shuffle file types in their spam campaigns in an attempt to create an element of surprise for unsuspecting users.”
Click to expand...

Log in or Sign up

Necurs botnet launches massive 47 million emails per day campaign

itman Registered Member

guest Guest

Minimalist Registered Member

itman Registered Member

itman Registered Member

guest Guest

guest Guest

Log in or Sign up

Necurs botnet launches massive 47 million emails per day campaign

itman Registered Member

guest Guest

Minimalist Registered Member

itman Registered Member

itman Registered Member

guest Guest

guest Guest

Useful Searches