Tuesday, September 28, 2021

Rising spam a sign that Necurs botnet has returned with new payloads

Noticed the amount of spam your organization is receiving has gone up in the past few months — particularly email with malicious attachments? It’s not just you. Spam volumes are back on the rise, according to Cisco Systems’ Talos security intelligence. And it may signal the return of the Necurs botnet, which researchers thought (hoped?) had been disarmed in June arrests of several people linked to the spread of  a Russian-specific piece of malware named Lurk.

In a blog filed Wednesday, Jaeson Schultz, one of the group’s technical leaders, noted that according to numbers gained from the Composite Blocking List the last time spam volumes were this high was in mid-2010.

(Image from Composite Blocking List)

Similarly, an internal list from SpamCop shows its block list somewhere under 200,000 IP addresses pre-2016, growing to an average twice that this year and spiking to over 450K,000 IPs in August.

Anti-spam systems have been effective so far and there have been some high-profile takedowns of spam-related botnets, Schultz notes. But high-volume attacks, which try to find weaknesses within minutes before the anti-spam defences shut doors, are increasing. Last week, for example, high volume attacks were a large portion of all spam that went out — 65 per cent on Sept. 12 and 59 per cent on Sept. 13.

Talos believes the increase is largely the work of the Necurs botnet, which has switched from sending largely Russian dating and stock pump-and-dump spam to sending malicious attachment-based spam with either the Dridex banking malware or Locky ransomware. That figures: Ransomware has become a lucrative source of income to criminal groups.

Schultz notes that many of the host IPs sending Necurs’ spam have been infected for more than two years. “To help keep the full scope of the botnet hidden, Necurs will only send spam from a subset of its minions. An infected host might be used for two to three days, and then sometimes not again for two to three weeks. This greatly complicates the job of security personnel who respond to spam attacks, because while they may believe the offending host was subsequently found and cleaned up, the reality is that the miscreants behind Necurs are just biding their time, and suddenly the spam starts all over again.”

The bottom line is CISOs have to maintain vigilance for spam. Talos encourages infosec pros to build a layered set of defenses to maximize the chances of detecting and blocking these attacks. And security awareness campaigns for employees have to continue advising how to spot malicious attachments.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News