The Necurs botnet has increased in prevalence since the US Thanksgiving holiday, as cyber-criminals use it to distribute a new form of ransomware, according to Check Point’s latest Global Threat Impact Index.
Over Thanksgiving, hackers were found using Necurs, considered to be the largest spam botnet in the world, to distribute the relatively new Scarab ransomware that was first seen in June 2017. The Necurs botnet started mass distribution of Scarab during the holiday, sending over 12 million emails in a single morning.
Necurs has previously been used to distribute some of the most insidious malware variants to hit business networks in the past 12 months, including the Locky and Globeimposter families. But the Scarab activity has catapulted it to Check Point’s list of the top ten most prevalent malwares.
“The re-emergence of the Necurs botnet highlights how malware that may seem to be fading away doesn’t always disappear or become any less of a threat,” said Maya Horowitz, Threat Intelligence, group manager at Check Point. “Despite Necurs being well known to the security community, hackers are still enjoying lots of success distributing malware with this highly effective infection vehicle.”
As for the other threats, RoughTed, a large scale malvertising campaign, remains the most prevalent threat, with the Rig exploit kit in second, and the Conficker worm in third.
RoughTed can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack. The Rig EK, first introduced in 2014, delivers exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit. Conficker meanwhile allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
The most popular malware used to attack organizations’ mobile estates remains unchanged from October, as Triada, a modular backdoor for Android, continued to increase in prevalence. Triada grants superuser privileges to downloaded malware, as helps it to be embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
The Lokibot Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone in case its admin privileges are removed, is in second place for mobile malware, followed by LeakerLocker, an Android ransomware that reads personal user data, and then presents it to the user and threatens to leak it online if ransom payments aren’t met.
Check Point’s Global Threat Impact Index is based on its ThreatCloud database, which holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites.