As you read these lines, millions of infected devices across the globe are distributing spam for a botnet known as “Necurs.” IBM X-Force research monitors billions of spam messages a year and following the activity waves of this army of zombies, we estimate it to be one of the most notorious and well-connected operations in the cybercrime arena in the past decade.

But things are changing and with major banking Trojan botnets moving away from Necurs and to distribution through inter-gang collaborations, Necurs has been left behind to distribute amateur spam campaigns in high volumes. Is Necurs toppling down from its high position as a major malspam carrier for elite cybercrime gangs?

Banking Trojans Holding the Door Open for Targeted Ransomware Attacks

The Necurs botnet boasts a rather high-profile and resilient history since it emerged in 2012, even surviving outages after a law enforcement operation aimed at taking it down. Its expertise has been getting spam through filters well enough to result in good infection rates for its cybercrime clientele. Some of Necurs’ more significant milestones include having been the virtually exclusive channel of distribution for malware like GameOver Zeus, Dridex, Loki and TrickBot, to name a few.

The first Trojan to move away from Necurs was Dridex, leaning more towards working with the Emotet gang. Emotet itself started out as a banking Trojan, and eventually repurposed the botnet to distribute targeted enterprise attacks for other cybercrime groups. Another Trojan that relied on Emotet for targeted distribution was IcedID.

TrickBot seemed to remain a regular Necurs customer, until things started shifting in 2018, when a budding collaboration between TrickBot and another banking Trojan, IcedID, started pulling TrickBot away as well. This partnership of sorts was also the time TrickBot was linked to ransomware attacks that deliver Ryuk, encrypt enterprise devices, and demand millions of dollars in ransom. It meant that TrickBot’s operators were modifying their tactics, following in the footsteps of the Dridex Trojan that gradually reduced its wire fraud activity in favor of big game hunting ransomware attacks using the BitPaymer and DopplePaymer malware strains.

Over 2019, partnerships between banking Trojan gangs moved from being an exception to being the rule. Most of the top banking Trojans included Emotet in their multi-stage infection routine, moving away from distributing malspam through Necurs.

Why Not Necurs?

After years of what appears to have been successful collaboration, why would Necurs’ top customers change their tactics and choose a new infection path?

Looking at the eventual goals of these banking Trojans, which was moving into the high-stakes ransomware attack turf, it is apparent that they had become more targeted than ever. Infecting enterprise users through other botnets that already have a foothold in specific networks and could provide more information about the potential target, along with additional capabilities that Emotet features, for example, can be a driver for this shift.

While Necurs has been rather good at shuffling attachment types and the IPs their spam originates from, high spam volumes were quickly detected by security controls, their IPs blacklisted and attachment content was likely blocked on contact.

Emotet, on the other hand, is resident on infected networks, its operators can read email content and one of its targeted infection tactics has been to insert itself into existing conversations between trusted parties inside the organization, then have someone open an attachment internally, versus something that comes unsolicited or awkward from an external party.

Necurs Delivering Scam Spam

So, what has Necurs been doing while its top customers move away to distribute Trojans for one another? It appears that the botnet’s operators are resorting to spamming whatever they get. Not a foreign concept for Necurs, who through the years has been the source of scam spam variations, some of which have been penny stock scams, cryptocurrency scams, get-rich-quick scams and sextortion spam campaigns.

What’s most striking about these campaigns is not the nature of the email messages they distribute, but rather the extremely high volume of spam sent for each one, millions of messages per day in an aggressive but short-lived campaign that’s a typical Necurs tactic.

Why so many? Sending as much spam as possible is a numbers game, but it can also be indicative of low success rates in bypassing email filtering and controls.

In a mid-January 2020 campaign, we detected across our spam traps, millions of emails were sent within a matter of hours. Top distributing IPs came from Chile, Lithuania and India. A newcomer to the usual top 10 list of countries distributing Necurs spam was Suriname, where local IPs sent 10 percent of all emails in that campaign.

Figure 1: Necurs January 2020 campaign by top spam-sending countries

The ploy, in that case, was a work-from-home scam. The website recipients would reach was yet another version of an old get-rich-fast scam platform known as “Bitcoin Era” that has been in circulation in various forms in the past couple of years, often via Necurs itself.

Figure 2: Get-rich-fast scams delivered via Necurs spam email

Is Emotet Taking a Bite Out of Necurs’ Turf?

Another recent finding from X-Force research are sextortion emails being spread by Emotet. The suspicious thing about these emails is that the format and language are extremely similar to sextortion emails previously spread by Necurs. The emails extort the reader to have them make a Bitcoin payment, and also drop Emotet to infect their device.

Figure 3: January 2020 Sextortion campaigns drop Emotet to spam recipient devices

Have more dubious customers been moving their business to the Emotet gang’s malicious spam operation?

In cybercrime, these things can only be a guess until further proof is found, and it is also quite plausible that a pivotal member of the Necurs group left it to work with the Emotet gang, attracting its contacts to the new “vendor.”

Keep Up to Date on Necurs

The Necurs botnet might be peddling scam spam at this time, but this relatively resilient infrastructure has been serving cybercriminals for over eight years now. What’s next for Necurs? Will it regain its elite cybercrime customers or will it see the same fate as that of the notorious Avalanche Botnet?

X-Force will keep tracking Necurs activity and keeping you up to date. Join us on X-Force Exchange to get the latest in threat intelligence that’s relevant to your work and to better securing your networks.

More from Fraud Protection

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…

What Are the Biggest Phishing Trends Today?

According to the 2022 X-Force Threat Intelligence Index, phishing was the most common way that cyber criminals got inside an organization. Typically, they do so to launch a much larger attack such as ransomware. The Index also found that phishing was used in 41% of the attacks that X-Force remediated in 2021. That's a 33% increase from 2021. One of the biggest reasons threat actors are increasing phishing attacks is that all it takes is one employee to make a…

Top Security Concerns When Accepting Crypto Payment

From Microsoft to AT&T to Home Depot, more companies are accepting cryptocurrency as a way to pay for products and services. This makes perfect sense as crypto coins are a viable revenue source. Perhaps the time is ripe for businesses to learn how to receive, process and convert crypto payments into fiat currency. Still, many questions remain. How can you safely enable customers to pay with Bitcoin or other digital currency? What are the security risks that come with cryptocurrency? Let’s…

NFT Security Risks: Old Scams and New Tricks

The non-fungible token (NFT) boom has also led to some serious security incidents. For example, the number of suspicious-looking domain registrations with names of NFT stores increased nearly 300% in March 2021. To participate in an NFT marketplace, you must have an active cryptocurrency wallet. This exposes NFT holders to new risks as attackers can find ways into your crypto wallet through your marketplace account. As we’ll see, threat actors have even infiltrated NFT marketplace OpenSea’s Discord server posing as…