The Necurs botnet, a large and well-known spam originator, has become synonymous with cybercrime. Its spam-sending capabilities, through a botnet of a few million infected devices, are frequently dedicated to vast campaigns that deliver banking malware, cryptojacking malware, ransomware and a variety of email scams sent to millions of recipients in each run.

IBM X-Force monitors Necurs activity and recently discovered yet another face of this malspam volcano. This time, Necurs is spewing geotargeted emails designed to threaten and extort payment from those who may have been watching adult movies or possibly having an extramarital affair.

Of course, this spam campaign is yet another a wide-cast net from Necurs, and the attackers have no idea whether the person they reached actually does any of these activities, but the odds appear to pay off anyway. Like other phishing and social engineering scams, it is often a numbers game.

Over 30,000 IPs Spewing an Extortion Scam

In Necurs spam campaigns that started around mid-September, X-Force detected millions of emails sent to recipients in different countries, essentially from the same set of malicious IPs and with similar content.

The emails came from over 30,000 different IP addresses, 70 percent of which were dynamic IPs. The attackers demanded that victims pay in bitcoin to one of more than 500 unique wallets. The campaign came in typical spikes of activity that was more marked midweek and then over the weekend.

Figure 1: Necurs botnet extortion spam — spikes recorded in September 2018 (Source: IBM X-Force)

All of Necurs’ cybercrime campaigns are linked with well-known cybercrime gangs, such as the operators of the Dridex malware, TrickBot, Locki and Monero miners, to name a few. But in this case, scammers don’t have much more than a creative email they send around and wait for the cash to come in. All they’re using here is social engineering.

Email content examined by X-Force researchers revealed a number of repeating formats in which the sender falsely claimed to have malware-based control of the recipient’s email accounts and computer. The attackers went on to allege that they had infected adult sites with tracking malware and filmed the victim through his or her webcam while watching content on a supposedly compromised site.

To keep the matter secret, the senders demanded that money be sent to them in bitcoin, asking for an amount between $250 to $550. If they were not paid, the attackers threatened to distribute the supposed video recording to the victim’s contact list, family, co-workers and friends.

In another version of the scam, the attackers claim they have knowledge about an extramarital affair the recipient is engaged in and threaten to send supposed proof of the affair to the victim’s spouse, family, friends and co-workers.

In all cases, the sender has no control of the recipient’s device or webcam, and the entire ploy is a sham. But to make the recipient believe otherwise, the spammers added a twist: the value of the “From” header field is equal to the “To” header field, which would seem to confirm that the blackmailer has access to the victim’s accounts/computer. Also, the “SMTP-From” and “SMTP-To” values are equal to the “From” value.

Uncover the Value of Digital Fraud Protection

How Necurs Tailors Its Spam to Recipients’ Local Language

This time, unlike previous campaigns, Necurs is spreading spam in different languages. To deliver the message in the correct language, emails are sent according to the recipient’s webmail top-level domain (TLD). So if the domain is .co.uk, for example, the email will be sent in English, and if the domain in .fr, it will be sent in French.

While the campaign included versions of this scam in seven different languages, the overwhelming majority of emails were sent in German and ended up in X-Force spam honeypots when recipient email addresses had a .de or .ch TLD.

Languages touched by this campaign so far include:

  • Arabic;
  • English;
  • French;
  • German;
  • Italian;
  • Japanese; and
  • Korean.

Our researchers were somewhat surprised to see Arabic, Japanese and Korean on the list, since those languages are harder to machine-translate and are rarely targeted by international crooks.

The French email was written by someone who is likely a French speaker, and not translated online like the English version, for example. It could be indicative of some of those involved originating in Europe and possibly collaborating with counterparts in other parts of the world.

Victims Pay Up in Bits

It is unusual to be able to judge the success of a spam campaign from the outside. Security researchers rarely have access to metrics of how many people opened a malicious email, how many went to the phishing site or how many ended up paying the criminals. In this case, however, there is a way to get a general idea because the attackers used bitcoin wallet addresses.

In all, X-Force saw 500 bitcoin addresses used in this campaign; however, most emails indicated the same few wallets while others were rarely used. It was therefore possible to look up the miscreants’ financial profits via services such as BitRef that enable researchers to check bitcoin wallet balances. While we did not check every wallet, we did want to see if the attackers were getting any money.

We spot-checked the top 20 bitcoin addresses used in the campaign. As an example, one of the addresses that appeared in over 3 million email messages sent to German recipients amassed 0.52 BTC, which was equal to about $3,300 as of September 20, 2018. That wallet never got any more money and stopped receiving coins on September 19. The situation was similar for the other frequently used wallets in the campaign:

Wallet Address BTC Received Value in USD*
16yJ7MQWTFNjsSvAJJMkjPpnJbAsGLYhW7 0.52 $ 3,396.64
14dEvzyftZjrTjXaX5XXHo65C1rdsqCw1s 0.2 $ 1,306.40
1MZHWpgmUyjmExofPDCmYuVz9kmnTpu6m 0.6798768 $ 4,440.96
1KxCvtggcPd7c9UtUxYkJW2AwCQMknJkth 0.39944001 $ 2,609.14
16acVRG2RdMDSmdVuve1N1bYBFu8Rr3iii 0.51897787 $ 3,389.96
18firbfmx4KoNeM4cBhcDdXgp2Aiduo43G 0.9347217 $ 6,105.60
1CSsVgPgwTNLGgQCHRBPa7ZNH7oxK9cf2k 0.47608621 $ 3,109.80
1CXup5BRrEFuBHDeQcduCvfu3P48rXHrck 0.7268406 $ 4,747.72
1LXxZyP7CKybaXA6jELu5YJ6UQzbdZz8RP 1.02088739 $ 6,668.44
1MuQXHNBcAbYyMvMsvHfnXdymeuoLAK14Z 0.37842439 $ 2,471.87
398Qz1Autx6HJbJwvejXVhw4mXAmBW2KsW 0.15042 $ 982.54
19fbsopNBC77qYTVaX6iqg3cWZAHhxD8WC 0.33308602 $ 2,175.72
16QR5HMNvxoAT8tCFM3VxLnawYSkWujUwH 0.11703859 $ 764.50
1NpazNoJJPwVRP1ipwcqXspinJtouHfAe1 0.37208738 $ 2,430.47
12gUsSh9BU4m9ioAykSHXXZRTdEDT6tkca 0.08542991 $ 558.03
1HGenT4A43kd3rpYCTEzpWpJdxhRB2T1qN 0.15504966 $ 1,012.78
1GzLBHTSuDP5L7aCYPRFJwtqrXNdUbsFpf 0.02972966 $ 194.19
1JsMFmiAUowGhUWGfmnyfvqsWC7CLEmDWS 0.0198436 $ 129.62
1B9LFUAYAuwSrvBwCLrRQjR1iw53oG4S39 0.02250995 $ 147.03
12RZQCLuA3dFM1e5omdBAJ2Rr8LmF9acS7 0.10786085 $ 704.55
19rq65nR7FqvEgeq3r8YmHGupsUvnD3pmD 0.44241526 $ 2,889.86
19GqTJDhu7A1qg7rnK3KS7tmCkCTMTz6xD 0 $ –
19u9GzkHDJneny3GybvLW2ZKYx3tT98w24 0 $ –
Scroll to view full table

*BTC to USD exchange rate on October 4, 2018.

The amount of bitcoin contained in only the 20 main wallets totals about $50,000. Some wallets are still actively receiving coins. Most wallets show some withdrawals of the coins, bringing them to zero, which means the attackers have been removing the coins to another wallet or cashing them out.

Phishing Is Phishing — Don’t Take the Bait

October is National Cyber Security Awareness Month (NCSAM) in the U.S., making it a great opportunity to remind employees, family and friends to polish up on some information security basics, especially those related to email.

Put simply, you should always avoid opening unsolicited email. This can minimize the opportunity to fall for a social engineering scam. These communications are carefully crafted to lure people to take action, especially if they trigger an emotional reaction such as fear, urgency or, in this case, embarrassment.

You should also enable email filtering on your accounts to prevent most spam from getting through. Keep your devices clear of malware, run an up-to-date antivirus program and, if ever in doubt, have them examined by a professional.

If possible, use a separate device for online banking and other activities that involve the transfer of sensitive information. In general, adult content websites are known for high traffic and therefore are often a target for cybercriminals, which helped lend this scam some added credibility.

Visit the X-Force Exchange to learn more about this campaign. For tips to keep yourself safe from online scams and malware, check out the FBI’s Internet Crime Complaint Center (IC3) and StaySafeOnline.

Uncover the Value of Digital Fraud Protection

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…