SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

Necurs’ Business Is Booming In A New Partnership With Scarab Ransomware

By Paivi Tynninen, F-Secure

November 27, 2017

Necurs’ spam botnet business is doing well as it is seemingly acquiring new customers. The Necurs botnet is the biggest deliverer of spam with 5 to 6 million infected hosts online monthly, and is responsible for the biggest single malware spam campaigns. Its service model provides the whole infection chain: from spam emails with malicious malware downloader attachments, to hosting the payloads on compromised websites.

 

necurs_other

 

Necurs is contributing a fair bit to the malicious spam traffic we observe.

The Necurs botnet is most renown for distributing the Dridex banking Trojan, Locky ransomware, and “pump-and-dump” penny-stock spam. Since 2016 it has expanded its deliverables beyond these three and have included other families of ransomware, such as GlobeImposter and Jaff, and the banking trojan Trickbot to its customer base, with Locky being its brand-image malware deliverable with multiple malware spam campaigns per week.

This morning at 9AM (Helsinki time, UTC +2) we observed the start of a campaign with malicious .vbs script downloaders compressed with 7zip. The email subject lines are “Scanned from (Lexmark/HP/Canon/Epson)” and the attachment filename is formatted as “image2017-11-23-(7 random digits).7z“.

The final payload (to our surprise) was Scarab ransomware, which we haven’t seen previously delivered in massive spam campaigns. Scarab ransomware is a relatively new ransomware variant first observed last June, and its code is based on the open source “ransomware proof-of-concept” called HiddenTear.

This version doesn’t change the file names, but appends a new file extension to the encrypted files with “.[suupport@protonmail.com].scarab”, and drops the following ransom note after the encryption:

ransomnote

The spam campaigns from Necurs are following the same format from campaign to campaign, consisting of social engineering subject line themes varying from financial to office utilities, with very minimal text body contents and spiced up usually with malicious attachments, sometimes just URLs. And as the simple social engineering themes are effective, Necurs tends to re-use the spam themes in its campaigns, sometimes within a rather short cycle. In this particular case, the subject lines used in this spam campaign were last seen in a Locky ransomware campaign exactly two weeks ago, the only difference being the extension of the attached downloader.

locky_scarab

This has already given Scarab-ransomware a massive popularity bump, according to ransomware submissions ID ransomware.

We’re interested to see the future affiliations of this massive botnet and observe how it’s able to change the trends and popularity of malware types and certain families. In the meanwhile, we’ll keep blocking these threats, keeping our customers safe.

IOCs:

 
  1. b4a671ec80135bfb1c77f5ed61b8a3c80b2b6e51
  2. 7ac23eee5e15226867f5fbcf89f116bb01933227
  3. d31beec9e2c7b312ecedb594f45a9f5174155c68
  4. 85dc3a0b833efb1da2efdcd62fab565c44f22718
  5. da1e2542b418c85f4b57164e46e04e344db58ab8
  6. a6f1f2dd63d3247adb66bd1ff479086207bd4d2b
  7. 14680c48eec4e1f161db1a4a990bd6833575fc8e
  8. af5a64a9a01a9bd6577e8686f79dce45f492152e
  9. c527bc757a64e64c89aaf0d9d02b6e97d9e7bb3d
  10. 3f51fb51cb1b9907a7438e2cef2e538acda6b9e9
  11. b0af9ed37972aab714a28bc03fa86f4f90858ef5
  12. 6fe57cf326fc2434c93ccc0106b7b64ec0300dd7
  13. http://xploramail.com/JHgd476?
  14. http://miamirecyclecenters.com/JHgd476?
  15. http://hard-grooves.com/JHgd476?
  16. http://xploramail.com/JHgd476?
  17. http://atlantarecyclingcenters.com/JHgd476?
  18. http://pamplonarecados.com/JHgd476?
  19. http://hellonwheelsthemovie.com/JHgd476?

Terms of Use | Copyright © 2002 - 2017 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement