Necurs Botnet Shifts from Ransomware to Pump-and-Dump ScamProlific Spam Runs Promoted Alleged Merger of Drone Makers
One of the largest botnets in the world, Necurs, has resurged yet again. But instead of flinging ransomware at victims, this time it's shifted to spam aimed at influencing the price of cheap stocks, say researchers from Cisco's Talos security group.
See Also: Threat Briefing: Ransomware
Talos noticed that Necurs sent a barrage of spam on March 20 relating to InCapta, a California-based media company founded to develop game and celebrity apps, which is apparently now dabbling in the use of drones that can be independently dispatched to cover unfolding incidents, such as crime scenes or wildfires. The spam falsely contended the company was about to be bought out by drone market giant DJI.
Pump-and-dump scams - in which emails try to coax investors to buy inexpensive stocks in hopes of artificially inflating the price so holders can sell - are seen less frequently than in days past. That's why it's somewhat surprising that a large botnet like Necurs is being used, although it may be a sign that whoever runs Necurs is having trouble monetizing their army of infected bots.
Other security researchers have also flagged the sudden increase in pump-and-dump spam sent by Necurs.
"It's been a long time since I've seen a pump-and-dump spam run illegally pushing a stock as hard as this," security researcher Conrad Longmore says via his Dynamoo blog.
The British malware researcher known as MalwareTech also reported the rise in Necurs-delivered pump-and-dump spam on March 20, after reporting March 14 that Necurs command-and-control servers appeared to be down and unreachable by about 300,000 infected endpoints. By March 21, however, MalwareTech was tracking about 300,000 infected endpoints being connected to the C&C again, of which about 50,000 appeared to be new.
Necurs Botnet Traffic
Necurs: On Again, Off Again
Necurs rose to cybercrime fame thanks to pushing the Dridex banking Trojan and Locky ransomware (see Spotted: Surprising Lull in Locky and Dridex Attacks).
Dridex is sophisticated banking malware that can inject HTML fields into forms in an effort to fool online banking customers and steal their account and login details. Locky, meanwhile, encrypts files on a computer's hard drive, asking for a ransom in return for a decryption key. By combining Dridex with Locky, attackers had a formidable one-two punch designed for draining a victim's accounts, then extorting more money from them to decrypt their data.
The spam campaigns that spread both types of malware were often disguised as bogus shipping or transaction notices that were actually malicious attachments. And the fact that Necurs has successfully infected more than 1 million computers worldwide, to date, speaks to its success.
Necurs appears to have stumbled, though, following a series of arrests in Russia. In June 2016, Russian authorities arrested about 50 people who allegedly used malware to steal upwards of 1.7 billion rubles ($30 million) from Russian banks (see Russian Police Bust Alleged Bank Malware Gang).
The arrests preceded a decline in the use of the Angler exploit kit and also Necurs, leading security researchers to suspect that the arrests disrupted related cybercrime operations.
News from a Drone?
In January, Talos reported that Necurs' activity had dropped off at the end of 2016 - a seasonal dip that malware observers have often connected with the holiday break. But before the New Year pause, it had launched a pump-and-dump campaign.
Fast-forward to February, when AnubisNetworks noticed that a distributed denial-of-service module had been added to Necurs, although it has yet to be tied to any actual DDoS attacks.
Now, this month's resumption of sending pump-and-dump campaigns may be a move by Necurs' operators to generate cash, because a botmaster will often monetize their botnet by renting it to others for launching their own cyberattacks.
"This strategic divergence from the distribution of malware may be indicative of a change in the way that attackers are attempting to economically leverage this botnet," Cisco Talos security researchers write.
In this case, the emails promoting InCapta claimed investors could make 10 times their money back within a week if they invested. The spam may have affected trading: As Talos notes, 4.5 million shares of InCapta - an abnormal volume - were traded on March 20. After a large, second round of spam that day, the stock price temporarily increased as well.
On March 20, InCapta shares peaked at around $0.23, but closed down at $0.15 - much closer to its average value of late. "The spam is being sent from a botnet to random addresses," Longmore writes in a March 20 blog post. "I have no evidence to suggest that Incapta Inc. is behind this."
Incapta couldn't be immediately reached for comment.
But it's tough to know if the spam alone accounted for the stock price fluctuation, since the company on March 20 announced that it would be producing a weekly TV news show hosted by actor Nick Mancuso, featuring "political, law enforcement, crime, sports and breaking news" gathered by "its citizen journalists."
That followed InCapta on Dec. 20, 2016, publishing a press release saying it was looking for "qualified news reporters for its news drone operations" in partnership with the World Drone Recreation Aviators Club, which appears to be an online shop selling drones and related accessories. The press release reads: "Qualified journalists may become a drone journalist."
Executive Editor Mathew Schwartz also contributed to this story.