Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/23/2016
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Large Botnet Comes Back To Life -- With More Malware

The Necurs botnet associated with Dridex and Locky is back after three-week haitus.

A botnet associated with the huge volumes of Dridex and Locky-laden emails in recent months has resumed operations after mysteriously going dark for three weeks.

Researchers from multiple firms report seeing a sharp increase in malicious traffic originating from the Necurs botnet, after a significant drop-off beginning May 31.

AppRiver security analyst Jonathan French spotted the botnet back in action on June 21 in the form of a massive Locky email campaign. From an average of between three million- to 10 million emails with malicious attachments per day since the beginning of June, the number suddenly shot up to 80 million malicious emails on June 21, and 160 million on June 22, French said.

“It looks like Necurs is coming back and ramping up,” he said in a blog post this week. “Whether or not this is a temporary spike or a return to pre-June 1 “normalcy” is too early to tell.”

French told Dark Reading says it remains unclear why Necurs apparently went offline for sometime and then came back up again just as abruptly. “This is the question everyone is asking now. While it’s pretty apparent the botnet wasn’t taken down, no one is entirely sure why it went offline for three weeks,” he says.

One possibility is that the operators of the botnet encountered technical issues and were busy trying to fix it, or they were adding new functionality to it, he says. But a three-week hiatus seems too long to fully account for either possibility. “With how large the botnet is and how successful it’s been, it seems odd any issue they ran across would have taken three weeks to overcome,” he says.

Another likelihood is that the botnet has changed hands and is now under the control of a new set of operators, French says.

Regardless, the reactivation of Necurs is bad news, notes Kevin Epstein, vice president of the threat operations center at Proofpoint, which also reported seeing a sharp spike in malicious traffic from the botnet. Proofpoint reported Necurs-related traffic over the last two days as being about 10% of the volume prior to June 1. Still, the campaign remains very large and dangerous, the company says.

"The Necurs botnet reactivation is significant,” Epstein says. “It is the sending infrastructure for the massive, global malicious email campaigns distributing Dridex banking Trojan and Locky ransomware.” 

Like French, Epstein is at a loss to explain the sudden lull in activity earlier this month. But he, too, speculates that the botnet operators might have run into issues with their command and control infrastructure.

In similar cases such as the temporary cessation last August of the Dridex botnet and its spread of the Nuclear exploit kit, the disruptions stemmed from law enforcement actions, he says. But there has been nothing to indicate the same is true of Necurs. He conjectures that the reason why the botnet has resumed operations is simply because of the money to be made in distributing ransomware.

“The Locky ransomware and Dridex banking Trojan are too lucrative for the threat actors behind them to stay quiet for long," he says.

According to Proofpoint, the Locky sample coming via the newly revived Necurs botnet is more sophisticated than previous versions and includes new evasion and sandboxing techniques that make it much harder to detect and stop.

MalwareTech, an outfit that operates a botnet tracker, described Necurs as comprised of seven smaller botnets, with a total of around 1.7 million infected systems. All of the botnets went offline around the same time on May 31, stayed offline for the same length of time, and revived at the same time. That suggests the same organization is in charge of all seven botnets, MalwareTech noted.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...