Necurs botnet stock scam
This was not the first time that Necurs was abused to send pump-and-dump spam iStock

The Necurs botnet has recently experienced a spike in activity and switched gears from dishing up ransomware to distributing stock scam. The botnet, considered the world's worst botnet, was previously mainly used for widespread distribution of Locky and Dridex ransomware strains. Security researchers noted that Necurs had recently mysteriously gone offline at the start of the year, during which time the distribution of Locky dropped significantly.

Now security researchers at Cisco Talos believe that the botnet operators have shifted focus to distributing spam emails, sending high volumes of penny stock pump-and-dump messages.

The researchers said: "Email campaigns associated with Locky and Dridex generally pose as transaction notifications, and purport to contain shipping notifications, ACH transaction notifications, etc. In this particular campaign, the emails do not contain any hyperlinks to malicious servers or any malicious attachments and are simply claiming to be stock market alerts about a specific stock ticker ($INCT) that the messages claim is about to go higher."

Necurs' operators crafted the new spam email messages to specifically "entice" victims into thinking the fake stock tips included in the email were simply too good to pass up. The researchers described this campaign as a "classic get rich quick scheme".

The researchers also noted that the spam messages were sent out in high volumes as is common with such email campaigns. However, the campaign was short-lived, with the majority of the messages sent within just a couple of hours.

"The stock ticker in question appears to be associated with InCapta Inc, a mobile application development company. The stock has seen a significant increase in the volume of shares being traded."

The researchers also pointed out that this was not the first time that Necurs was abused to send pump-and-dump spam. Similar activity had been observed before in early 2016, just prior to a series of arrests related to an investigation into cybercriminals operating the botnet.

"Necurs is a good example of how over time attackers may change their methodologies as well as the strategies they use to monetise systems under their control," the Cisco Talos researchers concluded.