Necurs reappears

Researchers at Check Point have published their top ten malware list for November 2017. The list shows all bar one piece of malware has been on the move. That malware is RoughTed which is unsurprising as it focuses on malvertising. With the Christmas season upon us and retailers sending out more adverts than some spam engines, the opportunities for RoughTed are significant.

What has gotten the attention of the researchers has been the re-entry of Necurs. The researchers describe it as: “the largest spam botnet in the world.” It has been a while since Necurs was spotted but its resurgence appears to be linked to the Scarab Ransomware. According to the Check Point researchers: “The Necurs botnet started mass distribution of Scarab during the U.S. Thanksgiving holiday, sending over 12 million emails in a single morning.”

Interestingly, Necurs was previously used to distribute the Locky ransomware. This month, Locky has been one of the big fallers on the top ten chart. It has dropped from a solid 2nd place to 10th and is expected to drop out the top ten by the end of December.

Necurs not the biggest climber

While the attention is on Necurs given the Scarab campaign, Rig EK, a three year old exploit kit has roared back into the chart at number 3. It delivers exploits for Flash, Java, Silverlight and Internet Explorer. With Christmas coming and lots of new laptops and devices being sold, Rig EK is seemingly poised to drop malware on a lot of new and unprotected computers.

Nivdort is also a newcomer to the chart. It harvests passwords and modifies system settings as well as downloading more malware. Interestingly, the researchers have given no explanation as to why it may have made a reappearance in the chart.

The losers

Despite the insane journey that crypto currencies are currently on, CoinHive had plummeted out of the top ten. This may have as much to do with pressure from the industry on its creators as awareness for users. Endpoint security vendors reacted quickly over the last few weeks to block CoinHive. If only they were as effective at blocking other well-known pieces of malware.

Another big loser already mentioned is Locky. It has dropped from 2nd to 10th. Zeus, the banking trojan has also seen a big drop falling from 5th to 9th and is also expected to follow Locky out the chart next month.

What does it mean?

Malware goes in phases of popularity and effectiveness. Much is reliant on botnets to spread it via spam or phishing attacks. If those botnets are being used by other people to spread different malware it can look like a campaign has ended. The problem is that security teams can read too much into the numbers. Just because something has been seen less in a given month does not mean it has fallen out of use. The surge of Locky in September was also put down to a Necurs driven campaign.

What is clear is that malvertising, exploit kits and ransomware still dominate the malware landscape. With Christmas coming and users getting lots of new devices and toys that will inevitably end up in office over January, security teams need to be on high alert. Users also need to think carefully before clicking on that offer in their email.


Please enter your comment!
Please enter your name here