Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Necurs Botnet to Erupt This Month?

The Necurs Botnet Has a Modular Architecture, Which Allows it to Remain Agile and Switch the Distribution Type

Based on historical patterns and recent activity, including what I consider three small-volume test attacks in the past month, it’s looking extremely likely that another major Necurs malware outbreak is looming just around the corner. 

The Necurs Botnet Has a Modular Architecture, Which Allows it to Remain Agile and Switch the Distribution Type

Based on historical patterns and recent activity, including what I consider three small-volume test attacks in the past month, it’s looking extremely likely that another major Necurs malware outbreak is looming just around the corner. 

I feel a bit like a volcanologist reading charts of “seismic anomalies” during the opening minutes of one of those Hollywood disaster films, but Necurs passed through a period of relative inactivity at the beginning of both 2016 and 2017, and once again here in 2018. But it’s not just that – most recently on March 26th Necurs sent a test email in Asia, on the heels of two others, presumably a prelude to new campaigns.

To recap for the less initiated, Necurs is the king of botnets. It’s been active since 2012, has an estimated 6 million ‘bots’ at its disposal, and when active, accounts for 90% of all global malware distribution. Necurs has been known to deliver a variety of malicious payloads, from pump-and-dump stock scams to Locky ransomware to the Dridex banking Trojan. 

Botnet warm-up exercises

If you look at Necurs over the last two years, a clear pattern leaps out with respect to the ebb and flow of activity. There’s a quiet period at the beginning of the year followed by escalating activity from the (Northern Hemisphere’s) spring.  It then builds to a peak in the late summer/early fall, followed by little or no activity for months, aside from periodic small-scale distributions (every rule has its exception).

For example, in 2016, our data shows Necurs was active from February to November, building up over the year to its peak activity day on November 21, 2016, with a Locky distribution of roughly 100 million emails. In 2017 (see chart from data below), Necurs was quiet from January through March, with activity really starting up in April and running until November, culminating in a peak distribution of an additional 60 million ransomware files in late summer, on August 28th.

Necurs botnet Spam Activity ChartNecurs botnet email activity during 2017 – quiet until April, peak day in August

Condemned to repeat history 

Advertisement. Scroll to continue reading.

The spam distribution on March 29th I mentioned above carried URL links that were downloaders. It was sent to roughly 20,000 recipients in Asia – a tiny number by Necurs standards. So small, in fact, as to compel the conclusion that it must be part of a test regimen, especially when seen in the context of two other small distributions within the past month. 

Malware developers can be quite sophisticated and go through their own “QA” processes and test phases for their new “products.” Like any operation, there is a period of evident activity, and a period for gestation of new ideas, development and testing. So, I’m positing that the Necurs gang is therefore in an annual low-level “testing phase” and is likely to kick into high gear again, possibly as soon as this month. While there was a notable Necurs-driven “lonely hearts” spam message distribution during two weeks in February, it doesn’t hinder my conclusion that 2018 could potentially shaping up like 2017, and like 2016 before it.

Why Necurs continues year in, year out

Why is it so hard to kill Necurs? Among a variety of reasons, Necurs possesses modular architecture, which enables it to remain agile and change things up when the botnet owner wants to switch the distribution type or partner with other malware distributors. There is also speculation that a sophisticated kernel-mode rootkit feature can disable firewalls and security solutions. Necurs also uses domain generation algorithms (DGAs) to switch up meeting points between their bots and the C&C servers. 

But the principle reason we (speaking of the security industry) continue on the defensive and don’t take it to Necurs is the obvious difficulty in forming the far-reaching, multi-level coordination and cooperation required to take down such a sophisticated, decentralized and global operation – meaning cooperation between security vendors, ISP’s, hosting companies, registrars, IoT manufacturers, law enforcement, policymakers and anyone involved in providing or regulating the pipes through which malware may flow, to begin to name a few….  It’s very easy for ISP’s to mitigate botnet traffic, and some of them do (mostly through bot detection and notification to customers). However, because of a lack of policy and laws addressing the issue, it is far from standard practice. 

RelatedNecurs Returns With New Scarab Ransomware Campaign

RelatedNecurs Botnet Distributing Locky Ransomware via Fake Invoices

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.