Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/23/2016
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Large Botnet Comes Back To Life -- With More Malware

The Necurs botnet associated with Dridex and Locky is back after three-week haitus.

A botnet associated with the huge volumes of Dridex and Locky-laden emails in recent months has resumed operations after mysteriously going dark for three weeks.

Researchers from multiple firms report seeing a sharp increase in malicious traffic originating from the Necurs botnet, after a significant drop-off beginning May 31.

AppRiver security analyst Jonathan French spotted the botnet back in action on June 21 in the form of a massive Locky email campaign. From an average of between three million- to 10 million emails with malicious attachments per day since the beginning of June, the number suddenly shot up to 80 million malicious emails on June 21, and 160 million on June 22, French said.

“It looks like Necurs is coming back and ramping up,” he said in a blog post this week. “Whether or not this is a temporary spike or a return to pre-June 1 “normalcy” is too early to tell.”

French told Dark Reading says it remains unclear why Necurs apparently went offline for sometime and then came back up again just as abruptly. “This is the question everyone is asking now. While it’s pretty apparent the botnet wasn’t taken down, no one is entirely sure why it went offline for three weeks,” he says.

One possibility is that the operators of the botnet encountered technical issues and were busy trying to fix it, or they were adding new functionality to it, he says. But a three-week hiatus seems too long to fully account for either possibility. “With how large the botnet is and how successful it’s been, it seems odd any issue they ran across would have taken three weeks to overcome,” he says.

Another likelihood is that the botnet has changed hands and is now under the control of a new set of operators, French says.

Regardless, the reactivation of Necurs is bad news, notes Kevin Epstein, vice president of the threat operations center at Proofpoint, which also reported seeing a sharp spike in malicious traffic from the botnet. Proofpoint reported Necurs-related traffic over the last two days as being about 10% of the volume prior to June 1. Still, the campaign remains very large and dangerous, the company says.

"The Necurs botnet reactivation is significant,” Epstein says. “It is the sending infrastructure for the massive, global malicious email campaigns distributing Dridex banking Trojan and Locky ransomware.” 

Like French, Epstein is at a loss to explain the sudden lull in activity earlier this month. But he, too, speculates that the botnet operators might have run into issues with their command and control infrastructure.

In similar cases such as the temporary cessation last August of the Dridex botnet and its spread of the Nuclear exploit kit, the disruptions stemmed from law enforcement actions, he says. But there has been nothing to indicate the same is true of Necurs. He conjectures that the reason why the botnet has resumed operations is simply because of the money to be made in distributing ransomware.

“The Locky ransomware and Dridex banking Trojan are too lucrative for the threat actors behind them to stay quiet for long," he says.

According to Proofpoint, the Locky sample coming via the newly revived Necurs botnet is more sophisticated than previous versions and includes new evasion and sandboxing techniques that make it much harder to detect and stop.

MalwareTech, an outfit that operates a botnet tracker, described Necurs as comprised of seven smaller botnets, with a total of around 1.7 million infected systems. All of the botnets went offline around the same time on May 31, stayed offline for the same length of time, and revived at the same time. That suggests the same organization is in charge of all seven botnets, MalwareTech noted.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.