The many faces and activities of ever-evolving Necurs botnet

• The botnet is primarily used to deliver other malware in different attack campaigns.
• The Necurs botnet is operated by a Russia-based threat actor group.

The powerful Necurs botnet has been around in the cybersecurity threat landscape since the time of its discovery. In Q4 2017, a report from McAfee had revealed that Necurs along with Gamut botnet had compromised 97% of spam botnet traffic. The botnet is primarily used to deliver other malware in different attack campaigns.

Background

The Necurs botnet is operated by a Russia-based threat actor group who is responsible for stealing millions of dollars using Dridex banking trojan and more recently the Locky ransomware. The botnet has been active since late 2012. With the passing years, the botnet has become one of the world’s largest botnets that can infect more than 6 million machines at a time.

How widespread is the botnet?

Research by Cisco Talos had revealed that they were about 32 distinct spam campaigns sent by Necurs between August 2017 and November 2017. These campaigns were launched via phishing emails sent from almost 1.2 million distinct IP addresses in over 200 countries and territories. Most of these IP addresses were found to be concentrated in India, Vietnam, and Iran.

According to a report, McAfee has noted that the botnet was the second-most prevalent spam botnet after Gamut in the Q3 of 2018.

Since its inception in 2012, Necurs operators have periodically diversified their methods to monetize their nefarious activities. In 2013, Necurs was identified as a rootkit that was used to spread the Zeus banking trojan. By 2014, the botnet was evolved to distribute ransomware such as CryptoLocker and CryptoWall. The distribution of the CryptoWall via Necurs reaped the operators as much as $235 million in the first half of 2015.

In 2016, Necurs was made more sturdy to launch spamming activities. It was associated with various malware campaigns including the Dridex banking trojan, Shifu, TeslaCrypt and Locky. By this time, the botnet was capable enough to infect 1 million hosts.

In late 2016, a new module was added to the capabilities of Necurs botnet. This included both DDoS capabilities and the implementation of a proxy service.

In March 2018, the Necurs added cryptocurrency mining feature to its arsenal, thus enabling the attackers to deploy Monero-mining malware.

A look at Necur’s architecture

The Necurs botnet uses a hybrid architecture to communicate with the attackers. This includes direct C2 communication and peer-to-peer (P2P) communications. While the botnet uses the direct C2 server to obtain new instructions or configuration information, details about new C2s are distributed through Domain Generation Algorithm (DGA) domain queries or through P2P communication.

When bots lose connectivity to all known C2s, they begin to look out for new ones using the DGA and P2P communication. Once a new C2 is found, the bot stops querying DGA domains and contacting peers.

Conclusion

Given the capabilities of the Necurs, researchers believe it is difficult to take down the Necurs botnet completely. The operators are actively using the botnet to spew various malware and generate revenue between $100,000 and $200,000 a day in criminal activity.