Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/23/2016
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Large Botnet Comes Back To Life -- With More Malware

The Necurs botnet associated with Dridex and Locky is back after three-week haitus.

A botnet associated with the huge volumes of Dridex and Locky-laden emails in recent months has resumed operations after mysteriously going dark for three weeks.

Researchers from multiple firms report seeing a sharp increase in malicious traffic originating from the Necurs botnet, after a significant drop-off beginning May 31.

AppRiver security analyst Jonathan French spotted the botnet back in action on June 21 in the form of a massive Locky email campaign. From an average of between three million- to 10 million emails with malicious attachments per day since the beginning of June, the number suddenly shot up to 80 million malicious emails on June 21, and 160 million on June 22, French said.

“It looks like Necurs is coming back and ramping up,” he said in a blog post this week. “Whether or not this is a temporary spike or a return to pre-June 1 “normalcy” is too early to tell.”

French told Dark Reading says it remains unclear why Necurs apparently went offline for sometime and then came back up again just as abruptly. “This is the question everyone is asking now. While it’s pretty apparent the botnet wasn’t taken down, no one is entirely sure why it went offline for three weeks,” he says.

One possibility is that the operators of the botnet encountered technical issues and were busy trying to fix it, or they were adding new functionality to it, he says. But a three-week hiatus seems too long to fully account for either possibility. “With how large the botnet is and how successful it’s been, it seems odd any issue they ran across would have taken three weeks to overcome,” he says.

Another likelihood is that the botnet has changed hands and is now under the control of a new set of operators, French says.

Regardless, the reactivation of Necurs is bad news, notes Kevin Epstein, vice president of the threat operations center at Proofpoint, which also reported seeing a sharp spike in malicious traffic from the botnet. Proofpoint reported Necurs-related traffic over the last two days as being about 10% of the volume prior to June 1. Still, the campaign remains very large and dangerous, the company says.

"The Necurs botnet reactivation is significant,” Epstein says. “It is the sending infrastructure for the massive, global malicious email campaigns distributing Dridex banking Trojan and Locky ransomware.” 

Like French, Epstein is at a loss to explain the sudden lull in activity earlier this month. But he, too, speculates that the botnet operators might have run into issues with their command and control infrastructure.

In similar cases such as the temporary cessation last August of the Dridex botnet and its spread of the Nuclear exploit kit, the disruptions stemmed from law enforcement actions, he says. But there has been nothing to indicate the same is true of Necurs. He conjectures that the reason why the botnet has resumed operations is simply because of the money to be made in distributing ransomware.

“The Locky ransomware and Dridex banking Trojan are too lucrative for the threat actors behind them to stay quiet for long," he says.

According to Proofpoint, the Locky sample coming via the newly revived Necurs botnet is more sophisticated than previous versions and includes new evasion and sandboxing techniques that make it much harder to detect and stop.

MalwareTech, an outfit that operates a botnet tracker, described Necurs as comprised of seven smaller botnets, with a total of around 1.7 million infected systems. All of the botnets went offline around the same time on May 31, stayed offline for the same length of time, and revived at the same time. That suggests the same organization is in charge of all seven botnets, MalwareTech noted.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
New FISMA Report Shows Progress, Gaps in Federal Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/21/2019
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15513
PUBLISHED: 2019-08-23
An issue was discovered in OpenWrt libuci (aka Library for the Unified Configuration Interface) as used on Motorola CX2L MWR04L 1.01 and C1 MWR03 1.01 devices. /tmp/.uci/network locking is mishandled after reception of a long SetWanSettings command, leading to a device hang.
CVE-2019-15504
PUBLISHED: 2019-08-23
drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux kernel through 5.2.9 has a Double Free via crafted USB device traffic (which may be remote via usbip or usbredir).
CVE-2019-15505
PUBLISHED: 2019-08-23
drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through 5.2.9 has an out-of-bounds read via crafted USB device traffic (which may be remote via usbip or usbredir).
CVE-2019-15507
PUBLISHED: 2019-08-23
In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.7. Th...
CVE-2019-15508
PUBLISHED: 2019-08-23
In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fi...