Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Necurs Returns With New Scarab Ransomware Campaign

The world’s largest spam botnet, Necurs, is delivering a new version of the Scarab ransomware. The campaign started at 07:30 UTC on Thanksgiving Day. By 13:30 UTC, security firm Forcepoint had already blocked more than 12.5 million Necurs emails.

The world’s largest spam botnet, Necurs, is delivering a new version of the Scarab ransomware. The campaign started at 07:30 UTC on Thanksgiving Day. By 13:30 UTC, security firm Forcepoint had already blocked more than 12.5 million Necurs emails.

The new campaign was also noted by F-Secure. “This morning at 9AM (Helsinki time, UTC +2) we observed the start of a campaign with malicious .vbs script downloaders compressed with 7zip,” blogged researcher Paivi Tynninen on Thursday.

“Based on our telemetry,” noted Forcepoint researchers, “the majority of the traffic is being sent to the .com top level domain (TLD). However, this was followed by region-specific TLDs for the United Kingdom, Australia, France and Germany.”

Necurs, weaponizing between 5 and 6 million hosts per month, was originally best known for distributing the Dridex banking trojan, the Locky ransomware, and ‘pump-and-dump’ schemes. This year it has also spammed out Jaff and GlobeImposter ransomware. Scarab is new.

Scarab was first spotted in June 2017 by Michael Gillespie, creator of ID Ransomware (a service that allows users to submit a ransom note to discover which ransomware has infected them). According to F-Secure, Scarab’s code “is based on the open source ìransomware proof-of-concept called HiddenTear.”

Necurs is delivering a malicious VBS script downloader compressed with 7zip. As in previous campaigns, the script contains a number of Games of Thrones references, such as the strings ‘Samwell’ and ‘JohnSnow’. The final payload is Scarab. 

The email itself is typical Necurs: minimal text body with business-related subjects; in this case suggesting the attachment contains images of scanned documents. Popular subjects are ‘Scanned from…’ with either Lexmark, HP, Cannon or Epson added.  

“The download domains used as part of this campaign were compromised sites which have previously been used by Necurs-based campaigns,” notes Forcepoint. It is probable that many organizations will have these domains blacklisted, but the sheer size of the campaign will likely lead to many new Scarab infections. 

If the downloader runs and Scarab is installed, it encrypts files and appends a new extension ending in ‘[[email protected]].scarab’. The email address part of the extension is the same contact email provided in the ransom note.

The ransom note, with the filename ìIF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXTî, is dropped into each affected folder. This note does not specify the amount of ransom required, saying instead that the amount will depend upon the speed of response from the victim. It does, however, offer to decrypt three files free of charge to prove the decryption will work: “Before paying you can send us up to 3 files for free decryption.”

Related: Ransomware: Where It’s Been and Where It’s Going 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.