The Necurs botnet has seen a recent spike in activity, shifting its intent from malware distribution to penny stock pump-and-dump spamming.
According to Cisco Talos, over the past year Necurs has been used primarily for the distribution of Locky ransomware and Dridex. But after it mysteriously went offline earlier this year, Locky distribution declined significantly.
Now, “rather than distributing malware in the form of malicious attachments, it appears to have shifted back to messages,” said Cisco researchers Sean Baird, Edmund Brumaghin, Earl Carter and Jaeson Schultz, in an analysis. “This is not the first time that Necurs has been used to send high-volume pump-and-dump emails….This strategic divergence from the distribution of malware may be indicative of a change in the way that attackers are attempting to economically leverage this botnet.”
Email campaigns associated with Locky and Dridex generally pose as transaction notifications, and purport to contain shipping notifications and ACH transaction notifications. Necurs’ new round of emails do not contain any malicious hyperlinks or attachments. Instead, they claim to be hot stock tips.
“It…claims that InCapta Inc ($INCT) is going to be bought out at $1.37 per share by DJI (a drone company) based on information purportedly obtained from colleagues at an M&A firm in Manhattan. The email explains that DJI is moving forward with the buyout,” Cisco explained. And, it appears to be effective: The firm said that shares of InCapta, a mobile application development company, has seen a significant increase in trading volume.
This is a classic get-rich-quick scheme, with the messages going so far as to guarantee “massive returns.” The messages were sent in relatively high volumes, with tens of thousands seen just over the course of the morning on 20 March. The addresses being blocked spiked to over 150,000 during the course of two waves of the new campaign.
The takeaway? The attackers appear to be changing their methodologies as well as the strategies they use to monetize systems under their control. Interestingly, Cisco analysis also found that the same email addresses seem to be used in both Necurs’ malware distribution efforts and the spam campaign, “hinting at the fact that Necurs operators may use a shared database of email addresses even when clients request different services.”
This is not the first time this year that Necurs has been observed changing its spots. In February, Anubis Networks observed it taking a page from Mirai, and setting itself up to act as infrastructure for DDoS attacks. It was also seen loading a new module—indicating that it can add new capabilities at any time.