Necurs botnet is back online after mysterious 3-week hiatus

Necurs – one of the world's largest botnets – is back online after mysteriously going dark for three weeks. The botnet's activities had come to a grinding halt on 31 May when its central C&C (command and control) servers went offline after which security researchers immediately began noticing a drop in spam activities driven by the Locky ransomware.

MalwareTech told IBTimes UK that it first noted some activity early on 12 June, "but it seemed unorganised and looks like a sinkhole attempt as the servers were not responding properly". However, it was a week later, on 19 June that it became clear that Necurs had been activated. "The servers began issuing proper replies though they still remained silent command wise. Around 6.32pm GMT yesterday the botnet issued its first command since 31 May, which began a new spam campaign sending out Locky infected emails, confirming the original botmasters were back in control."

MalwareTech explained in its blog, "The fact that bots will not stop polling the DGA until a C&C server replies with a digitally signed response would suggest that the botmasters are still fully in control of the botnet, or someone else has gotten a hold of the private key."

Security firm AppRiver also corroborated the re-emergence of Necurs in its blog, in which it outlined, "With the Locky campaigns today being very similar to what we've seen before, it looks like Necurs is coming back and ramping up. Whether or not this is a temporary spike or a return to pre-June 1 "normalcy" is too early to tell."

"It's hard to say for certain if we'll see an increase in activity, but during the weeks of downtime there hasn't been any new Locky infection, so I imagine they will probably up their game to make up for lost revenue during the outage," MalwareTech told IBTimes UK.

The firm also pointed out that Necurs now comes with "hardened VM detection", which will likely deter analysts attempting to "keep a closer eye on their spam campaigns and block malicious emails in advance", from monitoring the botnet's activities. MalwareTech also added that the new Locky campaign "has no apparent changes to the campaign itself, but the Locky malware has also undergone some changes designed to stop it from being run in automated malware analysis environments."

When asked if a change of hands may have taken place in who now controls Necurs, MalwareTech responded: "It's unlikely the botnet changed hands due to the fact its tasks have remained unchanged; previously the botnet focused on spamming Locky infected emails and this was the first thing it started doing upon reactivation."

MalwareTech also explains that it is unlikely that the botnet was taken down for upgrades, since that is generally not the practice. The firm also theorises that Necurs "servers were taken down and they were simply too busy with something else and therefore didn't immediately replace them like they usually would."

"One thing is fairly certain and that is Necurs is not dead," MalwareTech asserts. With security researchers keeping a keen eye on the botnet's activities, it is highly likely that more reports about its exploits appear in the future.