The Necurs Botnet Has a Modular Architecture, Which Allows it to Remain Agile and Switch the Distribution Type
Based on historical patterns and recent activity, including what I consider three small-volume test attacks in the past month, it's looking extremely likely that another major Necurs malware outbreak is looming just around the corner.
I feel a bit like a volcanologist reading charts of "seismic anomalies" during the opening minutes of one of those Hollywood disaster films, but Necurs passed through a period of relative inactivity at the beginning of both 2016 and 2017, and once again here in 2018. But it's not just that – most recently on March 26th Necurs sent a test email in Asia, on the heels of two others, presumably a prelude to new campaigns.
To recap for the less initiated, Necurs is the king of botnets. It's been active since 2012, has an estimated 6 million ‘bots’ at its disposal, and when active, accounts for 90% of all global malware distribution. Necurs has been known to deliver a variety of malicious payloads, from pump-and-dump stock scams to Locky ransomware to the Dridex banking Trojan.
Botnet warm-up exercises
If you look at Necurs over the last two years, a clear pattern leaps out with respect to the ebb and flow of activity. There’s a quiet period at the beginning of the year followed by escalating activity from the (Northern Hemisphere's) spring. It then builds to a peak in the late summer/early fall, followed by little or no activity for months, aside from periodic small-scale distributions (every rule has its exception).
For example, in 2016, our data shows Necurs was active from February to November, building up over the year to its peak activity day on November 21, 2016, with a Locky distribution of roughly 100 million emails. In 2017 (see chart from data below), Necurs was quiet from January through March, with activity really starting up in April and running until November, culminating in a peak distribution of an additional 60 million ransomware files in late summer, on August 28th.
Necurs botnet email activity during 2017 – quiet until April, peak day in August
Condemned to repeat history
The spam distribution on March 29th I mentioned above carried URL links that were downloaders. It was sent to roughly 20,000 recipients in Asia – a tiny number by Necurs standards. So small, in fact, as to compel the conclusion that it must be part of a test regimen, especially when seen in the context of two other small distributions within the past month.
Malware developers can be quite sophisticated and go through their own "QA" processes and test phases for their new "products.” Like any operation, there is a period of evident activity, and a period for gestation of new ideas, development and testing. So, I'm positing that the Necurs gang is therefore in an annual low-level “testing phase” and is likely to kick into high gear again, possibly as soon as this month. While there was a notable Necurs-driven “lonely hearts” spam message distribution during two weeks in February, it doesn't hinder my conclusion that 2018 could potentially shaping up like 2017, and like 2016 before it.
Why Necurs continues year in, year out
Why is it so hard to kill Necurs? Among a variety of reasons, Necurs possesses modular architecture, which enables it to remain agile and change things up when the botnet owner wants to switch the distribution type or partner with other malware distributors. There is also speculation that a sophisticated kernel-mode rootkit feature can disable firewalls and security solutions. Necurs also uses domain generation algorithms (DGAs) to switch up meeting points between their bots and the C&C servers.
But the principle reason we (speaking of the security industry) continue on the defensive and don't take it to Necurs is the obvious difficulty in forming the far-reaching, multi-level coordination and cooperation required to take down such a sophisticated, decentralized and global operation – meaning cooperation between security vendors, ISP's, hosting companies, registrars, IoT manufacturers, law enforcement, policymakers and anyone involved in providing or regulating the pipes through which malware may flow, to begin to name a few.... It’s very easy for ISP's to mitigate botnet traffic, and some of them do (mostly through bot detection and notification to customers). However, because of a lack of policy and laws addressing the issue, it is far from standard practice.
Related: Necurs Returns With New Scarab Ransomware Campaign
Related: Necurs Botnet Distributing Locky Ransomware via Fake Invoices