Necurs, the prolific and globally dispersed spam and malware distribution botnet, has been spotted using a fresh hiding technique to avoid detection while quietly adding more bots to its web.
According to research from Black Lotus Labs, which is telecom and ISP provider CenturyLink’s network security arm, Necurs last year began implementing regular, sustained downtime segments for its command-and-control (C2) infrastructure – so that from about May of last year it was active for roughly three weeks before going quiet for two weeks, and then re-emerging again.
Most recently, the spells of downtime have elongated.
“At times, they’ve been known to be inactive for weeks,” the firm said, in a
blog post on Thursday. “Most recently, the C2s have gone offline for most of the last four months, coming online for short periods of time about once a week.”
“Necurs is the multitool of botnets, evolving from operating as a spam botnet delivering banking trojans and ransomware to developing a proxy service, as well as cryptomining and DDoS capabilities,” said Mike Benjamin, head of Black Lotus Labs, in a media statement. “What’s particularly interesting is Necurs’ regular cadence of going dark to avoid detection, reemerging to send new commands to infected hosts and then going dark again. This technique is one of many the reasons Necurs has been able to expand to more than half a million bots around the world.”
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
