Endpoint Protection

 View Only

Necurs: Mass mailing botnet returns with new wave of spam campaigns 

Mar 28, 2017 10:40 AM

After a near three-month period of inactivity, the Necurs botnet sprang back to life last week and resumed the mass mailing spam campaigns for which it has become notorious. Necurs (Backdoor.Necurs) was one of the biggest distributors of malware during 2016, running massive spam campaigns spreading the Locky ransomware (Ransom.Locky). It mysteriously ceased operations on December 24, 2016 and its absence had an immediate considerable impact on the levels of malware infected spam.

During December 2016, the last month Necurs was active, one in 98 emails blocked by Symantec contained malware. In January 2017, that rate dropped to one in 772, while in February it was one in 635 emails blocked.


Figure 1. The email malware rate (one in) seen by Symantec dropped significantly after Necurs went offline in late December

Unexplained absence

Necurs suddenly ceased operating in late December 2016. Its last spam run started on December 22 and ended on December 24. Initially Symantec believed that the group behind Necurs was taking a break for the Christmas holidays, something cybercrime groups have been known to do. However, activity failed to resume once the holiday period was over. With no news of any arrests or infrastructure takedowns, the reason for its absence was unexplained.

There were a number media reports in January suggesting that Necurs had resumed spam campaigns distributing Locky, albeit on a much smaller scale than before. During this time, Symantec did not observe any Necurs spam campaigns. Symantec believes that the reported Locky spam campaigns were conducted by another spamming group.

Prior to Necurs’ reappearance, Symantec found some evidence of a resumption of activity. From mid-February onwards, the group had begun putting new command and control servers online.

Necurs’ spamming operations resumed on March 20, with Symantec blocking almost two million malicious emails on the first day alone. Since then, Symantec has been regularly blocking in excess of 100,000 emails per hour during the hours its spam campaigns are running.


The number of emails blocked by Symantec is just a proportion of the total volume of spam being sent by Necurs, indicating the sheer size of its operations and its ability to cause disruption to organizations hit by its spam campaigns.

Figure 2. Necurs spam volumes logged by Symantec since its return on March 20, 2017

Pump and dump: Different style of campaign

Prior to its disappearance, Necurs had been chiefly known for spam campaigns delivering malware, usually via JavaScript and Office macro downloaders which were hidden in attachments. Just before the botnet went quiet in late December, it began spamming “pump and dump” stock scams and, since its reappearance, Necurs has eschewed malware campaigns and has instead focused on these pump and dump campaigns.

There have been several different emails sent, but all follow a similar format, purporting to come from someone offering stock tips. Several of the emails pretend that the recipient had previously signed up to an investment newsletter. All of the emails are pushing the stock of one single company. The sender claims to have inside information that the company is about to be sold for a price per share more than ten times in excess of what it is currently trading for. Some of the subject lines used include:

  • This public company is being bought out. Read now to profit from it
  • Read Now: Why this company’s shares are guaranteed to soar next week
  • I've got strong reasons to believe that this stock is about to soar
  • Allow me to share something profitable with you today

The emails appear part of a classic pump and dump stock scam, where fraudsters acquire large amounts of low-priced stock in small companies and then spread rumors intended to drive the stock price up, such as claiming the company is about to be acquired or is about to launch a major new product. Once the stock price rises, the scammers sell their stock, prompting an immediate price drop and leaving victims with little prospect of recouping their outlay.

Unwelcome return

The fact that Necurs was able to resume massive spam campaigns on its return indicates that, whatever the reason for its absence, it appears to have lost none of its capabilities. Whether the botnet resumes spreading malware remains to be seen. However, the sheer size of its operations means that it will pose a threat regardless of what it is distributing.


Symantec and Norton products protect against the malware used to add computers to the network with the following detections:


Intrusion Prevention System

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.