Necurs botnet is currently the second largest spam botnet, it has been active since at least 2012 and was involved in massive campaigns spreading malware such as the Locky ransomware, the Scarab ransomware, and the Dridex banking Trojan.
According to the experts, the Necurs botnet is currently composed of roughly 570,000 bots distributed globally, most of them in India, Indonesia, Vietnam, Turkey, and Iran. It has been estimated that there are about 90,000 “orphaned” Necurs bots in the wild.
Now Necurs has been spotted using a new evasion technique and that is allowing its operators to recruit more bots to the botnet.
According to the experts from Black Lotus Labs, a division of the telecom and ISP provider CenturyLink, Necurs operators regularly shutting down segments of their command-and-control (C2) infrastructure. Since May the C2 was active for roughly three weeks before going down for two weeks and then going up again.
“From the network perspective, Black Lotus Labs continue to see cycles of
“At times, they’ve been known to be inactive for weeks. Most recently, the C2s have gone offline for most of the last four months, coming online for short periods of time about once a week.”
The presence of tens of thousands of orphaned bots is worrisome, in any moment some of them could be recruited in the botnet with the necessary actions.
“Necurs is the multitool of botnets, evolving from operating as a spam botnet delivering banking trojans and ransomware to developing a proxy service, as well as
Black Lotus has also observed the evolution of the payloads used by the
“Most recently, Necurs has been seen pushing out
CenturyLink described its efforts in trying to sinkhole the Necurs botnet, however, the operations are not simple because the malicious infrastructure leverages a domain generation algorithm (DGA) to obfuscate avoid
“When the Necurs operators register a DGA domain to inform the bots of the new C2, the domain is not pointed to the real IP address of the new C2 host,” the experts explained. “Instead, the real IP address of the C2 is obfuscated with what is essentially an encryption algorithm. The bot will then ‘decrypt’ the obfuscated IP address and contact the new C2. This prevents researchers from being able to identify new C2s simply by querying the DGA domains, but more importantly, it makes it difficult for researchers to sinkhole these DGA domains.”
Experts pointed out that DGA is a double-edged sword because allows security researchers to analyze DNS and network traffic to enumerate bots.
“Despite making it more difficult to
“CenturyLink has taken steps to mitigate the risk of Necurs to customers, in addition to notifying other network owners of potentially infected devices to help protect the internet. However, the evolution of Necurs’ capabilities and its global distribution make this botnet one the security community will need to continue to watch.”