After a three-months-long partial hiatus, the Necurs botnet is back to flinging spam emails left and right.
But unlike before the break, when it was mostly delivering the infamous Locky ransomware or the Dridex banking Trojan, the botnet is now engaged in distributing emails with no malicious attachment or link.
According to Cisco Talost researchers, the botnet has been spotted firing off short-lasting but sizeable bursts of penny stock pump-and-dump emails.
Necurs botnet’s latest campaign
The messages tout InCapta Inc., a mobile application development company, as a company with revolutionary drone technology, and say that it is going to be bought out at $1.37 per share by drone company DJI next week. Recipients are urged to buy its stock now, at 20 or less cents per share, and then sell it to DJI next week and make a killing.
Most people will be sceptical about those claims, but this type of spamming effort works.
“The stock has seen a significant increase in the volume of shares being traded,” the researchers noted. “While analyzing this particular spam campaign, we observed that the volume of shares being traded reached over 1 million shares (the total later in the day was over 4.5 million shares), which is exponentially higher than the average volume of shares traded.”
A second wave of very similar emails, sent eight hours after the first one, again increased the stock price.
This is not the first time that the Necurs botnet has been spotted fuelling pump-and-dump stock scams. The researchers pointed out a similar campaign in December 2016, when recipients were urged to buy stocks of a mobile application development services company.
Necurs’ botmasters like to mix it up
“Necurs is a good example of how over time attackers may change their methodologies as well as the strategies they use to monetize systems under their control,” the researchers noted.
The botnet’s longevity stems from the fact that the Necurs Trojan can prevent a large number of security applications from functioning correctly, can disable the machine’s firewall, and can create a backdoor into the system.
Also, many of the host IPs sending Necurs’ spam have been infected for many years, but Necurs will only send spam from a subset of them. “An infected host might be used for two to three days, and then sometimes not again for two to three weeks,” Cisco Talos researcher Jaeson Schultz previously noted. This helps botmasters keep the full scope of the botnet hidden, and it complicates the job of security personnel who respond to spam attacks.