As Necurs Botnet Falls from Grace, Emotet Rises

Researchers wonder if a recent “amateur spam” campaign by the once-prevalant malware distribution botnet is a sign of trojans looking to other infection paths.

A mid-January spam campaign by criminals behind the popular Necurs botnet shows a dramatic drop in skill and savvy by perpetrators. In a shift from sending sophisticated messages with lethal payloads, Necurs botnets are now peddling get-rich-quick spam messages in what researchers are calling “amateur” campaigns.

The lowering of the Necurs bar, according to IBM X-Force researchers, is tied to the fact cybergangs are attempting to up their game and adopt new and more sophisticated attacks that are harder to defend against and spending less time cooking up deadly Necurs-based spam attacks.

Necurs, a prolific and globally dispersed spam and malware distribution botnet, has long been a formidable threat since it was first spotted in 2012. The botnet’s popularity stems from its ability to sneak past spam filters, resulting in high infection rates for its cybercrime clientele and the spreading of malware GameOver Zeus, Dridex,Loki and TrickBot.
However, researchers say that a desire for more targeted attacks and a stronger foothold in networks has forced adversaries over the past year to turn away from Necurs in favor of alternative malware. Most notably, cybercrime groups are now eyeing Emotet as a preferred means of attack over Necurs. Emotet started out as a banking trojan but eventually evolved into a botnet used to distribute malware in enterprise attacks.

“Things are changing and with major banking Trojan botnets moving away from Necurs and to distribution through inter-gang collaborations, Necurs has been left behind to distribute amateur spam campaigns in high volumes,” IBM X-Force researchers said in a Monday post.

Researchers said Necurs has fallen from its once high position as a major malspam carrier for elite cybercrime gangs.

Recently, researchers discovered millions of emails being sent from the Necurs botnet within a matter of hours. The top distributing IPs in this campaign came from Chile, Lithuania and India, they said.

Necurs spam As part of the campaign, victims receive an email linking to a website that peddles a get-rich-quick scam. Specifically victims are exposed to “Bitcoin Era,” a Bitcoin trading platform scam that tells victims they can make money by trading cryptocurrency. This scam has been in circulation in various forms for the past couple of years.

“What’s most striking about these campaigns is not the nature of the email messages they distribute, but rather the extremely high volume of spam sent for each one, millions of messages per day in an aggressive but short-lived campaign that’s a typical Necurs tactic,” researchers said.

Since botnets remain under control of remote attackers, bot-herders are often able to rent access to segments of their botnet on the black market for various actions, such as DDoS (Distributed Denial of Service) attacks, email spam campaigns, financial breaches and more. That’s been the case with Necurs; however, researchers say that the spam campaign may be indicative of more sophisticated banking trojan operators who were previously using Necurs moving away from the botnet as the malware marketplace shifts.

Emotet’s popularity may be taking a significant bite out of the Necurs botnet, researchers said. For instance, over the past two years Dridex, TrickBot and IcedID developers all moved away from Necurs and started instead working with Emotet.

Many banking trojans are moving into the ransomware attack turf and sniffing out more targeted attacks. Consequently, they would be looking for a botnet that already maintains a foothold in specific networks and could provide more information about potential targets, said researchers.

Necurs Botnet IPs

While Necurs has found success sneaking attachment spam gateways, high spam volumes used in recent campaigns have been quickly detected and their IPs blacklisted by security controls, researchers said.

“Emotet, on the other hand, is resident on infected networks, its operators can read email content and one of its targeted infection tactics has been to insert itself into existing conversations between trusted parties inside the organization, then have someone open an attachment internally,” said researchers.

More cyber criminals behind these trojans have also been forming partnerships. That has helped them fill in each other’s skill-set gaps– reducing the need for the capabilities that Necurs can bring to the table. For instance, the operators behind TrickBot and IcedID started a collaboration in 2018 that eventually pulled TrickBot away from Necurs, said researchers. This partnership allowed the two operators to target banking victims and share the profit, by sending IcedID directly as spam via email, and then acting as a downloader for TrickBot.

TrickBot operator’s move away from Necurs also came as the trojan modified its own tactics. The malware has been moving away from wire fraud activity in favor of targeted ransomware attacks that utilize the BitPaymer and DopplePaymer malware strains.

Despite the recent market shifts that have been impacting Necurs, researchers say there may still be hope for the botnet to regain its cybercrime customers: “The Necurs botnet might be peddling scam spam at this time, but this relatively resilient infrastructure has been serving cybercriminals for over eight years now,” they said.

Suggested articles