Pierluigi Paganini September 29, 2016

Necurs botnet, the monster is resurrected. Banking Trojans and Ransomware propagated via spam is bring backing the high-volume spam campaign

Botnets are like monsters that surface back after some period of inactivity, this time, the monster it the dreaded Necurs botnet. The Necurs Botnet is one of the world’s largest malicious architectures, used to spread the dreaded threats, that vanished since June 1.

The Necurs Botnet was used by crooks to deliver the Dridex banking malware and the dreaded Locky ransomware, but now many security experts wondered about its end.

“We can only tell that the Dridex and Locky spam campaigns stopped since June 1 in our observation. We cannot confirm how the botnet was brought down yet,” Joonho Sa, a researcher for FireEye confirmed to Motherboard.

When it was first spotted earlier 2015, the experts classified the malicious infrastructure used to spread the threat as high-complex and efficient, “a masterpiece of criminality.”

On October 2015, an international joint effort of law enforcement agencies, including the FBI and the NCA, destroyed the botnet, but it resurrected after and was used to mainly spread the Locky ransomware. Experts called it Necurs and confirmed it was the world’s largest botnet.Ba

Back to the present, it’s like watching a sequel to a monster movie where the monster actually resurrected. Normally a sequel is made for profit and sometimes in the case of botnets as well these monsters are brought back to life for sequels as well.

Consider the recent increase in Spam volumes. The average of 200K IP addresses was listed under SpamCop Block list till before 2016. Just this year the list has doubled to 400K IP addresses even spiking to 450K. Yes, we might be seeing a sequel to an old monster flick.

Using obsolete tactic of high-volume spam which is currently well blocked by updated spam filters. Now the tactic of a huge amount of spam in a short interval of time has been replaced by stealthier tactics, but the operators behind the Necurs botnet have changed their attack variation from persistence to speed. To shed better light on the situation lets consider the spam filters as automatic jail doors and spams as convicts trying to escape. The idea is to use the small delay in the jail doors closing to put through as many convicts as possible . In this case, the convicts which make it through are emails which can land malware payloads to the targets.

Experts from the Cisco Talos Labs published an interesting analysis on the “Rising Tides of Spam” that is affordable to the operators of malicious infrastructures, like the Necurs botnet.

“This year, 2016, has seen overall spam volumes creep back up to a level that we have not seen for a very long time. I present to you “Exhibit A”: The ten year volume graph from the Composite Block List (CBL). According to CBL, the last time spam volumes were this high was back in mid-2010.” states the blog post published by the Talos team.

It’s more like the short term campaigns are giving better turnover to the attackers.

The Lurk takedown has contributed to some extra prey to the attackers behind the Necurs botnet and has been a win-win for them ever since. Since the campaign has been profitable to the malicious attacker, researchers caution that the attack model maybe would be copied by other botnet operators.

“Email threats, like any other, constantly evolve. As we grow our techniques to detect and block threats, attackers are simultaneously working towards evading detection technology. Unfortunately there is no silver bullet to defending against a spam campaign. Organizations are encouraged to build a layered set of defenses to maximize the chances of detecting and blocking such an attack” explained the Talos Team.

Hence monster movie reboots and sequels are in the forecast. The question is are you buying tickets or preparing your spam protection mechanism.