There have been recent reports that the Necurs botnet has been enabled once agains after a number of security companies have reported a massive increase in botnet activity which began on June 21, 2016.
Prior to this, the Necurs botnet has been used to transmit huge volumes of Dridex malware and Locky; a sophisticated ransomware variant that was first identified in February 2016. It is not yet clear whether this is just a temporary spike in activity or whether the botnet will be broadcasting emails at the levels seen before the recent downtime.
Necurs botnet activity fell off on May 31. The volume of malicious emails being broadcast using the botnet fell to as few as 3 million emails daily. However, the number of emails being sent rose on June 21, shooting up to around 80 million emails. One day later the volume of malicious emails had doubled to 160 million. The increase in activity comes is connected to a massive spam email campaign that is delivering emails containing malicious attachments which download Locky ransomware.
It is not yet clear why there was a period of quiet. Security specialists having been pondering this since the dramatic fall in activity on May 31.
The Necurs botnet is huge and is believed to include approximately 1.7 million computers, spread over 7 separate botnets. It is obvious that the botnet had not been disable, although activity across all seven of the botnets halted. In April and May of this year, spam email volume was constantly exceeding 150 million emails a day. Now the Necurs botnet seems to be back up to speed.
Around the same time as the lull in activity, Russia’s FSB security service carried out raids resulting in the arrests of around 50 hackers. This group of hackers was using the Lurk Trojan to defraud banks and other targets in Russia. It is not known which issues the operators may have had with the C&C infrastructure. If the botnet has changed ownership, a single organization would likely be in control as activity across all seven botnets resumed at the same time.
The return of the Necurs botnet is bad news. Proofpoint is reporting the resurrection of the botnet has been coupled with a new Locky variant which has new capabilities. The latest strain Locky is better at being undetectable and determining whether it is operating in a sandbox. The new features were detected by Proofpoint shortly before the Necurs botnet went quiet.