After three weeks of silence, the world’s biggest botnet Necurs, is coming back to life and it’s getting ready for brand new spam and malware distribution campaigns.
The reports from MalwareTech and Proofpoint show that the Necurs botnet had stopped all its activity on May 31, this year, when its main C&C servers went offline.
The Necurs shutdown was felt immediately, and security experts noticed a drop in email spam delivering the Locky ransomware. Unexpectedly, the spam emails carrying the Dridex banking trojan also slowed down, which was rather curious considering the fact that Dridex has its separate botnet from where it functions.
A while ago, the MalwareTech team has detected new Necurs activity, and the security company AppRiver also confirmed his findings. Necurs botnet came back on Sunday, when the hackers behind it set up new C&C servers, and in short time, a large number of the bots started connecting to the new backend.
“The fact that bots will not stop polling the DGA until a C&C server replies with a digitally signed response would suggest that the botmasters are still fully in control of the botnet, or someone else has gotten a hold of the private key,” MalwareTech states.
Alongside the return of Necrus botnet, the security experts noticed a resurgence of Locky spam, though with the same samples detected by antivirus products on May 31.
According to MalwareTech, the Necurs team always started new campaigns with a fresh batch of undetected Locky ransomware samples, and this seemed like the Necurs team just hit the “pause/resume” button on an older campaign.
Before, cyber-crime gangs have been known to take time off, either for maintenance operations or to upgrade their servers, though it usually happened before a large infrastructure update.
As no new Locky or Dridex malware samples have been observed from this botnet, we’ll have to see what the Necurs team has prepared next.