• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Necurs Botnet adopts a new strategy to evade detection

Necurs Botnet adopts a new strategy to evade detection

Pierluigi Paganini March 04, 2019

The Necurs Botnet continues to evolve, a new strategy aims at hiding in the shadows, and leverages new payloads to recruits new bots.

Necurs botnet is currently the second largest spam botnet, it has been active since at least 2012 and was involved in massive campaigns spreading malware such as the Locky ransomware, the Scarab ransomware, and the Dridex banking Trojan.
According to the experts, the Necurs botnet is currently composed of roughly 570,000 bots distributed globally, most of them in India, Indonesia, Vietnam, Turkey, and Iran. It has been estimated that there are about 90,000 “orphaned” Necurs bots in the wild.

Necurs botnet

The Necurs botnet was not active for a long period at the beginning of 2017 and resumed its activity in April 2017 when it was observed using a new technique to avoid detection.

Now Necurs has been spotted using a new evasion technique and that is allowing its operators to recruit more bots to the botnet.

According to the experts from Black Lotus Labs, a division of the telecom and ISP provider CenturyLink, Necurs operators regularly shutting down segments of their command-and-control (C2) infrastructure. Since May the C2 was active for roughly three weeks before going down for two weeks and then going up again.

“From the network perspective, Black Lotus Labs continue to see cycles of botnet inactivity shown by C2 infrastructure going offline and coming back online.” reads a blog post published by the firm.

“At times, they’ve been known to be inactive for weeks. Most recently, the C2s have gone offline for most of the last four months, coming online for short periods of time about once a week.”

The presence of tens of thousands of orphaned bots is worrisome, in any moment some of them could be recruited in the botnet with the necessary actions.

“Necurs is the multitool of botnets, evolving from operating as a spam botnet delivering banking trojans and ransomware to developing a proxy service, as well as cryptomining and DDoS capabilities,” explained Mike Benjamin, head of Black Lotus Labs. “What’s particularly interesting is Necurs’ regular cadence of going dark to avoid detection, reemerging to send new commands to infected hosts and then going dark again. This technique is one of many the reasons Necurs has been able to expand to more than half a million bots around the world.”

Black Lotus has also observed the evolution of the payloads used by the botnet operators.

“Most recently, Necurs has been seen pushing out infostealers and RATs, like AZOrult and FlawedAmmyy, to targeted hosts based on specific information found on infected hosts and deploying a new sophisticated .NET spamming module which can send spam using a victim’s email accounts.” continues the blog post. “These new capabilities represent a significant increase in Necurs’ ability to perpetrate spear phishing, financial crimes and espionage. “

CenturyLink described its efforts in trying to sinkhole the Necurs botnet, however, the operations are not simple because the malicious infrastructure leverages a domain generation algorithm (DGA) to obfuscate avoid takedown.

“When the Necurs operators register a DGA domain to inform the bots of the new C2, the domain is not pointed to the real IP address of the new C2 host,” the experts explained. “Instead, the real IP address of the C2 is obfuscated with what is essentially an encryption algorithm. The bot will then ‘decrypt’ the obfuscated IP address and contact the new C2. This prevents researchers from being able to identify new C2s simply by querying the DGA domains, but more importantly, it makes it difficult for researchers to sinkhole these DGA domains.”

Experts pointed out that DGA is a double-edged sword because allows security researchers to analyze DNS and network traffic to enumerate bots.

“Despite making it more difficult to takedown the Necurs botnet completely, its use of a DGA is a double-edged sword. Because the DGA domains it will use are known in advance, security researchers can use methods like sinkholing DGA domains and analyzing DNS and network traffic to enumerate its bots and C2 infrastructure, allowing them to mitigate much of the potential damage of this enterprising botnet.” concludes the post.

“CenturyLink has taken steps to mitigate the risk of Necurs to customers, in addition to notifying other network owners of potentially infected devices to help protect the internet. However, the evolution of Necurs’ capabilities and its global distribution make this botnet one the security community will need to continue to watch.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Necurs botnet, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Cybercrime malware Necurs Bornet Pierluigi Paganini Security Affairs

you might also like

Pierluigi Paganini July 07, 2025
Taiwan flags security risks in popular Chinese apps after official probe
Read more
Pierluigi Paganini July 07, 2025
U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    New Batavia spyware targets Russian industrial enterprises

    Uncategorized / July 07, 2025

    Taiwan flags security risks in popular Chinese apps after official probe

    Security / July 07, 2025

    U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 07, 2025

    Hunters International ransomware gang shuts down and offers free decryption keys to all victims

    Cyber Crime / July 06, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

    Security / July 06, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT