The Many Tentacles of the Necurs Botnet

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

Over the past five years the Necurs botnet has established itself as the largest purveyor of spam worldwide. Necurs is responsible for emailing massive amounts of banking malware, ransomware, dating spam, pump-n-dump stock scams, work from home schemes, and even cryptocurrency wallet credential phishing. Necurs sends so much spam that at times Necurs’ spam campaigns can make up more than 90% of the spam seen by Cisco Talos in one day.

To conduct a deeper analysis of Necurs, Talos extracted 32 distinct spam campaigns sent by Necurs between August 2017 and November 2017. The result was a collection of over 2.1 million spam messages, sent from almost 1.2 million distinct sending IP addresses in over 200 countries and territories.

Necurs Recipients

From an email marketing and delivery perspective, Necurs doesn’t appear to be too sophisticated. Necurs’ recipient database includes email addresses that have been harvested online, commonly deployed role-based accounts, as well as email addresses that appear to have been auto-generated. These are among the worst, most unreliable sources for obtaining email addresses, and any legitimate email marketer wouldn’t last a day mailing to addresses such as these. Of course, an illegitimate botnet such as Necurs has no such concerns. For many months the email addresses in Necurs database seemed to be largely static; Necurs hasn’t actively added any new addresses for at least the past year, possibly two years or more. In November of 2017, Necurs stopped mailing to many of the autogenerated accounts.

At one of my personal domains, Necurs has been seen mailing to addresses such as ‘equifax@’ –an email address that was originally stolen from Equifax years before the 2017 breach. Necurs also often mails to ‘thisisatestmessageatall@’, another email address I generated and put into the wild, long ago. There are also variations on other legitimate addresses, for example ‘aeson@’, ’20jaeson@’, and ‘eson@’ which are all variations on my address ‘jaeson@’. The number 20 was present at the beginning of many of Necurs recipients. Hex 20 corresponds with the space character and is used in percent-encoding, etc. This provides further indication of the harvested nature of these addresses.

Other addresses in Necurs’ mailing list appear to have been auto-generated. For example ‘EFgUYsxebG@’, ‘ZhyWaTmu@’, and ‘MTAyOvoYkx@’ have never been aliases at my domain that I’ve ever used, and the only mail these accounts ever receive comes from Necurs.

From our set of Necurs’ spam messages, Talos extracted only the user alias portion of the To: address. There are numerous email aliases, such as role-based addresses, that appear to be in Necurs’ recipient DB across many different recipient domains. Strangely, the list also included some odd email aliases deployed at multiple domains such as ‘unity_unity[0-9]@’, ‘petgord32truew@’, ‘iamjustsendingthisleter@’, ‘docs[0-9]@’, and others.

Interestingly, some of these same strange aliases can be found on Project Honeypot’s list of the Top Dictionary Attacker Usernames, though it is unclear whether Necurs obtained their aliases from this list, or whether these aliases made Project Honeypot’s list as a result of Necurs’ spamming activity.

Necurs Sending IPs

Next, Talos extracted the sending IP addresses responsible for transmitting Necurs’ spam emails, and we grouped the data according to geographical location. Rather than being uniformly distributed worldwide, a majority of Necurs’ nodes were concentrated among just a few countries –India (25.7% of total spam), Vietnam (20.3% of total spam), and Iran (7.3% of total spam). More than half (51.3%) of the sending IP addresses in our data came from just these three countries. In contrast, other large industrialized nations were only responsible for tiny fraction of the spam. For example, the United States, was home to 6,314 (less than 1%) of Necurs sending IPs. The country of Russia was only attributed to 38 sending IP addresses out of a nearly 1.2 million total sender IPs!

Talos also analyzed the individual spam campaigns in order to determine how often the sending IP addresses were reused from campaign to campaign. We found very little infrastructure reuse. In fact, none of the sending IP addresses in our data were seen across all thirty-two of the campaigns we extracted. Only three sending IP addresses could be found across thirty of Necurs’ spam campaigns. The vast, vast majority of sending IP addresses, 937,761 (78.6% of the total), were only ever seen in a single Necurs spam campaign! This means that Necurs botnet is large enough to conduct attacks over several months without substantial reuse of most sending nodes –an impressive feat.

To read the rest of this post, visit the Talos blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
2919 Followers
About Talos
Talos is the industry-leading threat intelligence organization. We detect and correlate threats in real time using the largest threat detection network in the world to protect against known and emerging cyber security threats to better protect your organization.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel