Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/23/2016
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Large Botnet Comes Back To Life -- With More Malware

The Necurs botnet associated with Dridex and Locky is back after three-week haitus.

A botnet associated with the huge volumes of Dridex and Locky-laden emails in recent months has resumed operations after mysteriously going dark for three weeks.

Researchers from multiple firms report seeing a sharp increase in malicious traffic originating from the Necurs botnet, after a significant drop-off beginning May 31.

AppRiver security analyst Jonathan French spotted the botnet back in action on June 21 in the form of a massive Locky email campaign. From an average of between three million- to 10 million emails with malicious attachments per day since the beginning of June, the number suddenly shot up to 80 million malicious emails on June 21, and 160 million on June 22, French said.

“It looks like Necurs is coming back and ramping up,” he said in a blog post this week. “Whether or not this is a temporary spike or a return to pre-June 1 “normalcy” is too early to tell.”

French told Dark Reading says it remains unclear why Necurs apparently went offline for sometime and then came back up again just as abruptly. “This is the question everyone is asking now. While it’s pretty apparent the botnet wasn’t taken down, no one is entirely sure why it went offline for three weeks,” he says.

One possibility is that the operators of the botnet encountered technical issues and were busy trying to fix it, or they were adding new functionality to it, he says. But a three-week hiatus seems too long to fully account for either possibility. “With how large the botnet is and how successful it’s been, it seems odd any issue they ran across would have taken three weeks to overcome,” he says.

Another likelihood is that the botnet has changed hands and is now under the control of a new set of operators, French says.

Regardless, the reactivation of Necurs is bad news, notes Kevin Epstein, vice president of the threat operations center at Proofpoint, which also reported seeing a sharp spike in malicious traffic from the botnet. Proofpoint reported Necurs-related traffic over the last two days as being about 10% of the volume prior to June 1. Still, the campaign remains very large and dangerous, the company says.

"The Necurs botnet reactivation is significant,” Epstein says. “It is the sending infrastructure for the massive, global malicious email campaigns distributing Dridex banking Trojan and Locky ransomware.” 

Like French, Epstein is at a loss to explain the sudden lull in activity earlier this month. But he, too, speculates that the botnet operators might have run into issues with their command and control infrastructure.

In similar cases such as the temporary cessation last August of the Dridex botnet and its spread of the Nuclear exploit kit, the disruptions stemmed from law enforcement actions, he says. But there has been nothing to indicate the same is true of Necurs. He conjectures that the reason why the botnet has resumed operations is simply because of the money to be made in distributing ransomware.

“The Locky ransomware and Dridex banking Trojan are too lucrative for the threat actors behind them to stay quiet for long," he says.

According to Proofpoint, the Locky sample coming via the newly revived Necurs botnet is more sophisticated than previous versions and includes new evasion and sandboxing techniques that make it much harder to detect and stop.

MalwareTech, an outfit that operates a botnet tracker, described Necurs as comprised of seven smaller botnets, with a total of around 1.7 million infected systems. All of the botnets went offline around the same time on May 31, stayed offline for the same length of time, and revived at the same time. That suggests the same organization is in charge of all seven botnets, MalwareTech noted.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22861
PUBLISHED: 2021-03-03
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to gain write access to unauthorized repositories via specifically crafted pull requests and REST API requests. An attacker would need to be able to fork the targeted ...
CVE-2021-22862
PUBLISHED: 2021-03-03
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of ...
CVE-2021-22863
PUBLISHED: 2021-03-03
An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authorization. By exploiting this vulnerability, an attacker would b...
CVE-2020-10519
PUBLISHED: 2021-03-03
A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the Gi...
CVE-2021-21353
PUBLISHED: 2021-03-03
Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was p...