After a near three-month period of inactivity, the Necurs botnet sprang back to life last week and resumed the mass mailing spam campaigns for which it has become notorious. Necurs (Backdoor.Necurs) was one of the biggest distributors of malware during 2016, running massive spam campaigns spreading the Locky ransomware (Ransom.Locky). It mysteriously ceased operations on December 24, 2016 and its absence had an immediate considerable impact on the levels of malware infected spam.
During December 2016, the last month Necurs was active, one in 98 emails blocked by Symantec contained malware. In January 2017, that rate dropped to one in 772, while in February it was one in 635 emails blocked.
Necurs suddenly ceased operating in late December 2016. Its last spam run started on December 22 and ended on December 24. Initially Symantec believed that the group behind Necurs was taking a break for the Christmas holidays, something cybercrime groups have been known to do. However, activity failed to resume once the holiday period was over. With no news of any arrests or infrastructure takedowns, the reason for its absence was unexplained.
There were a number media reports in January suggesting that Necurs had resumed spam campaigns distributing Locky, albeit on a much smaller scale than before. During this time, Symantec did not observe any Necurs spam campaigns. Symantec believes that the reported Locky spam campaigns were conducted by another spamming group.
Prior to Necurs’ reappearance, Symantec found some evidence of a resumption of activity. From mid-February onwards, the group had begun putting new command and control servers online.
Necurs’ spamming operations resumed on March 20, with Symantec blocking almost two million malicious emails on the first day alone. Since then, Symantec has been regularly blocking in excess of 100,000 emails per hour during the hours its spam campaigns are running.
The number of emails blocked by Symantec is just a proportion of the total volume of spam being sent by Necurs, indicating the sheer size of its operations and its ability to cause disruption to organizations hit by its spam campaigns.
Pump and dump: Different style of campaign
There have been several different emails sent, but all follow a similar format, purporting to come from someone offering stock tips. Several of the emails pretend that the recipient had previously signed up to an investment newsletter. All of the emails are pushing the stock of one single company. The sender claims to have inside information that the company is about to be sold for a price per share more than ten times in excess of what it is currently trading for. Some of the subject lines used include:
- This public company is being bought out. Read now to profit from it
- Read Now: Why this company’s shares are guaranteed to soar next week
- I've got strong reasons to believe that this stock is about to soar
- Allow me to share something profitable with you today
The emails appear part of a classic pump and dump stock scam, where fraudsters acquire large amounts of low-priced stock in small companies and then spread rumors intended to drive the stock price up, such as claiming the company is about to be acquired or is about to launch a major new product. Once the stock price rises, the scammers sell their stock, prompting an immediate price drop and leaving victims with little prospect of recouping their outlay.
The fact that Necurs was able to resume massive spam campaigns on its return indicates that, whatever the reason for its absence, it appears to have lost none of its capabilities. Whether the botnet resumes spreading malware remains to be seen. However, the sheer size of its operations means that it will pose a threat regardless of what it is distributing.
Symantec and Norton products protect against the malware used to add computers to the network with the following detections:
Intrusion Prevention System