{
	"id": "68e39e06-331b-40b0-81b3-2de6ddac5b24",
	"created_at": "2026-04-06T00:10:36.366302Z",
	"updated_at": "2026-04-10T03:28:35.445979Z",
	"deleted_at": null,
	"sha1_hash": "b2114d458aeceed7ec174bf4c6dfa9c6879e0aa3",
	"title": "November’s Most Wanted Malware: Return of Necurs Botnet Brings New Ransomware Threat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50572,
	"plain_text": "November’s Most Wanted Malware: Return of Necurs Botnet\r\nBrings New Ransomware Threat\r\nBy bferrite\r\nPublished: 2017-12-11 · Archived: 2026-04-05 14:04:20 UTC\r\nDuring the month of November, the Necurs botnet has returned to Check Point’s Global Threat Index’s top ten\r\nmost prevalent malware.\r\nCheck Point researchers found that hackers were using Necurs, considered to be the largest spam botnet in the\r\nworld, to distribute the relatively new Scarab ransomware that was first seen in June 2017. The Necurs botnet\r\nstarted mass distribution of Scarab during the U.S. Thanksgiving holiday, sending over 12 million emails in a\r\nsingle morning. Necurs has previously been used to distribute some of the most insidious malware variants to hit\r\nbusiness networks in the past 12 months, including the Locky and Globeimposter families.\r\nThe re-emergence of the Necurs botnet highlights how malware that may seem to be fading away, doesn’t always\r\ndisappear or become any less of a threat. Despite Necurs being well known  to the security community, hackers\r\nare still enjoying lots of success distributing malware with this highly effective infection vehicle. This reinforces\r\nthe need for advanced threat prevention technologies and a multi-layered cybersecurity strategy that protects\r\nagainst both previously encountered, established malware families as well as brand new, zero-day threats.\r\nAs in October, RoughTed, a large scale malvertising campaign, remained the most prevalent threat, ahead of the\r\nRig ek exploit kit in second, and Cornficker, a worm that allows remote download of malware in third.\r\nTop 10 ‘Most Wanted’ Malware:\r\n*Arrows relate to the change in rank compared to the previous month.\r\n1. ↔ RoughTed – a purveyor of ad-blocker aware malvertising responsible for a range of scams, exploits,\r\nand malware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker\r\nbypassing and fingerprinting in order to make sure it delivers the most relevant attack.\r\n2. ↑ Rig ek – Exploit Kit first introduced in 2014. Rig delivers Exploits for Flash, Java, Silverlight and\r\nInternet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript\r\nthat checks for vulnerable plug-ins and delivers the exploit.\r\n3. ↑ Conficker – Worm that allows remote operations and malware download. The infected machine is\r\ncontrolled by a botnet, which contacts its Command \u0026 Control server to receive instructions.\r\n4. ↑ Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal\r\ndata.\r\n5. ↑ Fireball – Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable\r\nof executing any code on the victim machines, resulting in a wide range of actions from stealing credentials\r\nto dropping additional malware.\r\nhttps://blog.checkpoint.com/2017/12/11/novembers-wanted-malware-return-necurs-botnet-brings-new-ransomware-threat/\r\nPage 1 of 2\n\n6. ↑ Pushdo – Trojan used to infect a system and then download the Cutwail spam module and can also be\r\nused to install additional third party malware.\r\n7. ↑ Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system\r\nsettings and download additional malware. It is usually spread via spam emails with the recipient address\r\nencoded in the binary, thus making each file unique.\r\n8. ↑ Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.\r\n9. ↓ Zeus – Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to\r\nsteal banking information.\r\n10. ↓ Locky – Ransomware that started its distribution in February 2016, and spreads mainly via spam emails\r\ncontaining a downloader disguised as an Word or Zip attachment, which then downloads and installs the\r\nmalware that encrypts the user files.\r\nThe most popular malware used to attack organizations’ mobile estates remained unchanged from October, as\r\nTriada, a modular backdoor for Android, continued to increase in prevalence.\r\nTop 3 ‘Most Wanted’ mobile malware:\r\n1. Triada – Modular Backdoor for Android that grants super-user privileges to downloaded malware and\r\nhelps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the\r\nbrowser.\r\n2. Lokibot – Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the\r\nphone in case its admin privileges are removed.\r\n3. LeakerLocker – Android ransomware that reads personal user data, and then presents it to the user and\r\nthreatens to leak it online if ransom payments aren’t met.\r\nCheck Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud\r\nintelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends\r\nfrom a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for\r\nbot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies\r\nmillions of malware types daily.\r\nCheck Point’s Threat Prevention Resources are available at:\r\nhttp://www.checkpoint.com/threat-prevention-resources/index.html\r\nBLOG FEEDBACK\r\nYour feedback is important to us. Please tell us how we can improve on this blog.\r\nWould you like to take the survey?\r\nYes\r\nNo\r\nSource: https://blog.checkpoint.com/2017/12/11/novembers-wanted-malware-return-necurs-botnet-brings-new-ransomware-threat/\r\nhttps://blog.checkpoint.com/2017/12/11/novembers-wanted-malware-return-necurs-botnet-brings-new-ransomware-threat/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.checkpoint.com/2017/12/11/novembers-wanted-malware-return-necurs-botnet-brings-new-ransomware-threat/"
	],
	"report_names": [
		"novembers-wanted-malware-return-necurs-botnet-brings-new-ransomware-threat"
	],
	"threat_actors": [
		{
			"id": "9099912b-a00a-4afb-8294-c6d35af421a1",
			"created_at": "2023-01-06T13:46:39.338108Z",
			"updated_at": "2026-04-10T02:00:03.292102Z",
			"deleted_at": null,
			"main_name": "Scarab",
			"aliases": [],
			"source_name": "MISPGALAXY:Scarab",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e7d03ac8-7d6f-4ea0-83a9-10dff2ea1486",
			"created_at": "2022-10-25T16:07:24.158325Z",
			"updated_at": "2026-04-10T02:00:04.884772Z",
			"deleted_at": null,
			"main_name": "Scarab",
			"aliases": [
				"UAC-0026"
			],
			"source_name": "ETDA:Scarab",
			"tools": [
				"Scieron"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434236,
	"ts_updated_at": 1775791715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b2114d458aeceed7ec174bf4c6dfa9c6879e0aa3.pdf",
		"text": "https://archive.orkl.eu/b2114d458aeceed7ec174bf4c6dfa9c6879e0aa3.txt",
		"img": "https://archive.orkl.eu/b2114d458aeceed7ec174bf4c6dfa9c6879e0aa3.jpg"
	}
}