Massive Necurs Botnet Regains Strength With Devastating Scarab Ransomware Deployments

The largest spam botnet in the world has a new trick up its sleeve, prompting security outfit Check Point to place it back in its list of the top ten most prevalent malwares. Called Necurs, the botnet dished up more than 12 million emails in a single morning during the Thanksgiving holiday. What makes it even more annoying, however, is that hackers have added the relatively new Scarab ransomware to the botnet's list of dirty tricks.

"The re-emergence of the Necurs botnet highlights how malware that may seem to be fading away, doesn’t always disappear or become any less of a threat. Despite Necurs being well known to the security community, hackers are still enjoying lots of success distributing malware with this highly effective infection vehicle," Check Point says. "This reinforces the need for advanced threat prevention technologies and a multi-layered cybersecurity strategy that protects against both previously encountered, established malware families as well as brand new, zero-day threats."

Necurs has been a thorn in the side of business on prior occasions. Over the past 12 months, it has been used to hit business networks with various malware, including the Locky and Globeimposter families. But adding ransomware to its repertoire propels the massive botnet to a new level, hence Check Point's recommendation for a multi-layered cybersecurity strategy, self-serving as its advice might be.

As for the other threats, here's a look at Check Point's top ten list:

1. ↔ RoughTed—a purveyor of ad-blocker aware malvertising responsible for a range of scams, exploits, and malware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
2. ↑ Rig ek—Exploit Kit first introduced in 2014. Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit.
3. ↑ Conficker—Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
4. ↑ Ramnit—Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
5. ↑ Fireball—Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
6. ↑ Pushdo—Trojan used to infect a system and then download the Cutwail spam module and can also be used to install additional third party malware.
7. ↑ Nivdort—Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
8. ↑ Necurs—Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.
9. ↓ Zeus—Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
10. ↓ Locky—Ransomware that started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as an Word or Zip attachment, which then downloads and installs the malware that encrypts the user files.

Check Point's Global Threat Impact Index is based on its ThreatCloud Map powered by its ThreadCloud Intelligence, a large collaborative network. The ThreadCloud database contains over 250 million addresses, more than 11 million malware signatures, and over 5.5 million infected websites. It identifies millions of malware each day.