Microsoft has announced it has taken control of the U.S. infrastructure of the Necurs botnet and has taken steps to prevent the botnet operators from registering new domains and the rebuilding the Necurs infrastructure.
The Scale of the Necurs Botnet
The Necurs botnet first appeared in 2012 and has grown into one of the largest spam and malware distribution networks. The botnet consists of around 9 million devices that have been infected with Necurs malware. Each device within the botnet is under the control of the cybercrime group behind the botnet.
The Necurs botnet is used to commit a wide range of cybercrimes by the operators of the botnet as well as other cybercriminal groups who rent out parts of the botnet as a service. The Necurs botnet was used for malware and ransomware distribution, cryptocurrency mining, and attacks on other computers to steal credentials and confidential data. The Necurs botnet also has a distributed Denial of Service (DDoS) module capable of performing massive DDoS attacks, although this function is yet to be used.
The main use of the botnet is spamming. The botnet has been used to send vast quantities of spam email, including emails pushing fake pharmaceutical products, pump and dump stock scams, and Russian dating scams. To give an example of the scale of the spamming, over a 58-day period of observation, Microsoft found that a single Necurs malware-infected computer had sent out 3.8 million spam emails to 40.6 million email accounts. That is just one infected device out of 9 million! In 2017, the botnet was being used to spread Dridex and Locky ransomware at a rate of around 5 million emails an hour and between 2016 and 2019 the botnet was responsible for 90% of email-based malware attacks.
The Takedown of Necurs Infrastructure
Microsoft has tracked the criminal activity of the Necurs botnet operators for 8 years. The gang is believed to be Evil Corp, the Russian cybercriminal group behind the Dridex banking Trojan. Evil Corp has been named the most harmful cybercrime group in the world.
The takedown of the Necurs botnet involved a coordinated effort by Microsoft and partners in 35 countries. Microsoft obtained an order from the U.S. District Court for the Eastern District of New York on March 5, 2020 to seize the U.S. domains used by the botnet operators. These domains were used to issue commands to the 9 million infected computers.
Simply seizing the domains would not be sufficient to take down the botnet, as the botnet’s command and controls servers could be rapidly rebuilt. Domains used by the threat actors are often taken down, so new domains are constantly registered weeks or months in advance.
The key to long-term disruption of the botnet was cracking the algorithm used by the threat actors to generate new domains. Microsoft analyzed the algorithm and calculated more than 6 million domains that would be used by the threat actors over the next 25 months. Steps have been taken to prevent those domains from being registered and becoming part of the Necurs infrastructure.
The 9 million devices around the world are still infected with Necurs malware. Microsoft and its partners have identified the infected devices and are working with ISPs and CERT teams around the world to rid those devices of the malware.