Because of distributing Dridex and Locky ransomware, Necurs has been pronounced as the largest spam botnet in the world. However, it seems that Necurs has a brand new role now, trying to manipulate the stock market.
After being online for a few weeks, Necrus is back online, noted Cisco’s threat intelligence organization Talos.
The experts reported that except being online again, the botnet was already spreading spam emails. Considering the fact that it’s the usual method of malware distribution, this looks perfectly normal, although the question is why these emails contain no link or any attachment at all.
“This is not the first time that Necurs has been used to send high volume pump-and-dump emails. In analyzing previous telemetry data associated with these campaigns, we identified a similar campaign on December 20, 2016 shortly before the Necurs botnet went offline for an extended period. This strategic divergence from the distribution of malware may be indicative of a change in the way that attackers are attempting to economically leverage this botnet,” the report states.
Usually, the email campaigns held via Necurs include messages containing transaction notifications with shipping data, and etc. However, there are no hyperlinks to malicious servers, malicious attachments or anything like that now.
This time, the spam emails feature a market alert about a specific stock ticker – $INCT, attributed to the mobile app development company InCapta Inc. The message reads that the stock is going to be bought out at $1.37 per share by the drone company DJI, based on a tip coming from a Manhattan company.
Further on, the email says that the move would revolutionize the drone industry by creating the first independent drones which can be dispatched to areas of interest such as car chases, wild fires, crime scenes, etc.
“The network of drones operates by connecting to a cloud and complex algorithms efficiently dispatch the drones within moments of an incident being reported. This way the media outlet that owns the drones can be the first to the scene and get exclusive, live-streamed,” the message says.
In order to make the situation even more exciting, the email states that the buyout is supposed to be announced on March 28, recommending purchase before then, saying the DJI is certainly going to pay a lot more than the current value, meaning that there’s a way for users to make money.
Approximately, tens of thousands of the spam emails were sent via Necurs, and there was a significant increase in the volume of traded shares, meaning that the stock market has already been seriously affected.
