Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Necurs Recurs

The Necurs botnet, which was responsible for millions of malicious spam messages last year, has recently been extremely active again. For the past three weeks it has spammed emails with a malicious PDF attachment that drops a word document with a macro that, in turn, downloads rebranded ransomware. The chart below, which is data from our Spam Research Database, shows the daily spam received from the previous weeks to present. In typical Necurs fashion, you can see the short high volume bursts.

9882_708963ce-259a-445d-a800-c5120a38164f

The campaign uses various subjects in the spammed emails.

Week 1 (May 11-12)
Scanned image
Receipt to print
File_ {random numbers}
Copy_{random numbers}
Document_{random numbers}
PDF_{random numbers}
Scan_{random numbers}
Week 2 (May 15 -17)
Your Invoice # {random numbers}
XX_Invoice_XXXX
Emailing: {random numbers}.pdf
Invoice {random numbers} {mm/dd/yyy}
Week 3 (May 22-25)
Invoice(XX-XXXX)
Copy of Invoice {random numbers}
IMG_XXXX.pdf
Payment Receipt XXX
Payment Receipt#XXX
Payment Receipt_XXX
Payment XXX
Payment#XXX
Payment_XXX
Payment-XXX
Receipt XXX
Receipt#XXX
Receipt_XXX
Receipt-XXX
 
***Note that X is any random number

Sample emails:

1st week

9200_4e250ad5-716c-4481-952d-8d38e28715b0

2nd week

9445_5a192f21-41c4-419e-8319-bb146e42c7e9

3rd week

9773_6b93cb08-cf7c-4573-8ab6-0b48a230037f

The PDF campaigns have been evolving, almost daily. Recent documents have a larger number of embedded files inside the pdf. These additional files do nothing, and are probably just decoys. But the main.docm file, with its malicious macro, still acts as the malware downloader. Below you can see how the Trustwave Secure Email Gateway sees these messages. Note the docm file with its vbaProject macro component.

1st and 2nd Week 3rd Week
7853_0b77f163-123c-4e26-8029-7c9acdc94a39

 

12574_ef5ed26b-71fc-44ae-9a7a-81ce137ee893

 

 

Saving and opening the PDF attachment, as shown below, has an exportDataObject Launch instruction to open the embedded .docm file

8556_2eed1e64-62b7-4f64-9c9a-24b9f275caf6

The PDF File will drop and launch the embedded .docm file

7617_00be8af2-a027-45c0-b782-40c7000041c0

If the macro is enabled, it will start to download a malicious file from URL which is the Jaff Ransomware. The table below shows differences from variants from week to week:

1st and 2nd Week 3rd Week
Dropped ransom notes on every folder that it encrypted files in it, the image file was also used as a desktop wallpaper once ransomware done encrypting your files.

8917_415bb516-f565-443e-b8d8-6e0e46bb4376
Readme.bmp

9358_558a9de4-6c68-41d6-8d23-980b7ad179a6
README_TO_DECRYPTl.bmp

12612_f0c790a8-8901-4375-a43a-1448227ceb47
ReadMe.html

11235_afc6f677-2a68-4134-84bd-98b92aeb1c99
ReadMe.html

12395_e84b2e12-7817-47bc-84b2-a9a889fa8462
ReadMe.txt

8587_3069342d-eed5-4ace-a972-2f6cb57c6a2a
README_TO_DECRYPTl.txt

Encrypted files will have an appended file extension

{Original FileName}.jaff

{Original FileName}.wlu

Even though the appearance is different, both variants have the same URL where you are able to recover your encrypted files.

10169_7c4cc7c5-5de1-48ae-8f5d-b8d3641c01e2

Earlier versions asks for 2.01 BTC and later versions it only asks for 0.31 BTC

12130_db01449a-6adf-4b0e-938a-e70f44b993e6

 

9193_4dff2b89-2aba-4e0f-b5e8-d42824564a78

 


To conclude Necurs is a large botnet and when active it distributes massive volumes of malicious spam. As observed, it tends to take breaks on weekends and it currently has an ongoing campaign using malicious PDFs to download Jaff ransomware. These malicious PDFs are continuously evolving by adding more layers of embedded files and obfuscation.

The Trustwave Secure Email Gateway can recognize and block this threat.

MD5 hashes of the malware:
 
PDF Droppers
d364eb043e01f61822c9d2906a36ad2f902c60d7
8e4f36e0710aee26f125acc69b14cac44467238f
2001971c7ddaa9b2550d1b870f5e377c56f15f70
 
DOC Downloaders
ee4fef6b870d0baa3a503aa8594dc16920f7b8a3
f66680aac290ad5febd6bc5b40efe16817bd6850
5045d532a951af205d0e0d91805b2bc38ee6aedd
 
Jaff Ransomware 1
03b17da93cf91f61c9dbb4d25182016cefec0659
 
Jaff Ransomware 2
551f953db4ba48452a4f7de9f5f7149c98ddf52f

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More