Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Cracks Infrastructure of Infamous Necurs Botnet

Necurs Botnet Takedown

Necurs Botnet Takedown

Microsoft says it managed to disrupt the Necurs botnet by taking control of the U.S.-based infrastructure that it has been using to conduct its malicious activities. 

Necurs is a peer-to-peer (P2P) hybrid botnet that uses a Domain Generation Algorithm (DGA) to ensure bots could always connect to a command and control (C&C) server. The botnet has been around since at least 2012 and has grown to become one of the most prolific botnets in existence. 

Believed to be operated by Russian cybercriminals, Necurs has been used for a broad range of malicious activity, including pump-and-dump stock scams, spam emails credential and personal information theft, and the distribution of malware families such as GameOver Zeus, Dridex, Locky, Trickbot and others.

Additionally, the botnet operators are believed to be selling access to infected systems to other cybercriminals as part of a botnet-for-hire service. Necurs also has distributed denial of service (DDoS) capabilities, but it hasn’t been used for this type of attack as of now. 

During the first seven days of March 2020, there were over 660,000 Necurs infections observed worldwide (based on the number of IPs reaching sinkholes), with India, Indonesia, and Turkey being affected the most, according to BitSight

The security firm also says it has identified eleven Necurs botnets, with four of them accounting for most of the activity. The botnets have been largely inactive since March 2019 (and apparently replaced by Emotet), but left over 2 million infected systems in a dormant state. 

Necurs’ P2P architecture allows it to resist takedown attempts, but Microsoft now says that it managed to crack down on the botnet’s DGA algorithm and take over the domains used for C&C after the U.S. District Court for the Eastern District of New York allowed it with an order issued on March 5. 

Working with public and private entities worldwide, the tech giant was able to take control over the botnet’s U.S.-based infrastructure to ensure that Necurs’ operators can’t register new domains to launch additional attacks. 

According to Microsoft, after figuring out how the botnet was generating new domains, it managed to accurately predict over six million unique domains created over the course of 25 months, and then reported these domains to registries worldwide to block them. 

“This disruption is the result of eight years of tracking and planning and will help ensure the criminals behind this network are no longer able to use key elements of its infrastructure to execute cyberattacks,” Tom Burt, Corporate Vice President, Microsoft, says. 

Additionally, the company is working with Internet Service Providers (ISPs) and other organizations worldwide, including partners in industry, government and law enforcement, to clean computers of malware associated with Necurs. 

“For this disruption, we are working with ISPs, domain registries, government CERTs and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others. Each of us has a critical role to play in protecting customers and keeping the internet safe,” Burt concluded. 

Related: Authorities Takedown GozNym Group That Stole an Estimated $100 Million

Related: Andromeda Botnet to Die Slow, Painful Death

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.