One of the world`s largest botnets, Necurs, may be back in the game as the number of banking Trojans and ransomware pieces spread via spam is rising, alarm researchers.
The Necurs Botnet was used by cybercriminals to distribute the notorious Locky ransomware and Dridex banking Trojan. However, since June 1st both campaigns suddenly stopped and the experts started thinking that the Necurs is gone.
“We can only tell that the Dridex and Locky spam campaigns stopped since June 1 in our observation. We cannot confirm how the botnet was brought down yet.” – Joonho Sa, a FireEye researcher said.
Researchers first came across the Necurs Botnet in early 2015 and it was soon after that classified as “a masterpiece of criminality”, based on its efficiency and complexity. Later, in October the same year, the FBI and NCA joined forces and managed to take down the dreaded threat. However, it reappeared soon after mainly delivering the Locky ransomware.
Currently, even though it hasn’t been noticed since June 1st, the Necurs Botnet may be back considering the rising spam numbers. Before 2016, the average number of IP addresses in the SpamCop Blocklist was 200,000. This year, this number has more than doubled to 450,000 IPs. That`s why researchers are right to consider the possibility of Necurs being back once again.
“This year, 2016, has seen overall spam volumes creep back up to a level that we have not seen for a very long time. I present to you “Exhibit A”: The ten year volume graph from the Composite Block List (CBL). According to CBL, the last time spam volumes were this high was back in mid-2010.” – states a blog post published by the Talos team.
Now the tactic of a huge amount of spam in a short interval of time has been replaced by more stealthy one and the Necurs botnet`s developers have changed their attack technique from persistence to speed. They are trying to put as many spam emails as possible through the spam filters and drop as many payloads to their targets as they can.
“Email threats, like any other, constantly evolve. As we grow our techniques to detect and block threats, attackers are simultaneously working towards evading detection technology. Unfortunately, there is no silver bullet to defending against a spam campaign. Organizations are encouraged to build a layered set of defenses to maximize the chances of detecting and blocking such an attack” – warns the Talos Team.
Analysts and experts are unanimous that there is a chance the Necurs Botnet has resurrected even more dangerous that before.