- Apr 21, 2016
- 4,370
The Necurs botnet is known as the largest spam botnet in the world, particularly for distributing Locky ransomware and Dridex. Now, it looks like Necurs is taking on a new role as someone tries to manipulate the stock market.
The discovery was made by Cisco's threat intelligence organization Talos, who notes that after being offline for several weeks, Necurs is back online.
They noticed that not only was it back online, but it was spreading spam emails. This isn't anythign new since that's how malware is spread most often, but what stood out was the fact that the emails held no link or attachment.
"This is not the first time that Necurs has been used to send high volume pump-and-dump emails. In analyzing previous telemetry data associated with these campaigns, we identified a similar campaign on December 20, 2016 shortly before the Necurs botnet went offline for an extended period. This strategic divergence from the distribution of malware may be indicative of a change in the way that attackers are attempting to economically leverage this botnet," reads the report.
The regular email campaigns held via Necurs involved messages containing transaction notifications with shipping data, and so on. This time, there are no hyperlinks to malicious servers, malicious attachments or anything similar.
What the emails contain is a market alert about a specific stock ticker - $INCT - which is attributed to InCapta Inc, a mobile app development company. The message says that the stock is going to be bought out at $1.37 per share by DJI, which is a drone company, based on a tip coming from a Manhattan firm. In order to entice the reader, the email further goes on to say that the move would revolutionize the drone industry by creating the first independent drones that can be dispatched to areas of interest such as crime scenes, car chases, wild fires, etc.
Read more: New Spam Campaign via Necurs Botnet Tries to Manipulate the Stock Market
The discovery was made by Cisco's threat intelligence organization Talos, who notes that after being offline for several weeks, Necurs is back online.
They noticed that not only was it back online, but it was spreading spam emails. This isn't anythign new since that's how malware is spread most often, but what stood out was the fact that the emails held no link or attachment.
"This is not the first time that Necurs has been used to send high volume pump-and-dump emails. In analyzing previous telemetry data associated with these campaigns, we identified a similar campaign on December 20, 2016 shortly before the Necurs botnet went offline for an extended period. This strategic divergence from the distribution of malware may be indicative of a change in the way that attackers are attempting to economically leverage this botnet," reads the report.
The regular email campaigns held via Necurs involved messages containing transaction notifications with shipping data, and so on. This time, there are no hyperlinks to malicious servers, malicious attachments or anything similar.
What the emails contain is a market alert about a specific stock ticker - $INCT - which is attributed to InCapta Inc, a mobile app development company. The message says that the stock is going to be bought out at $1.37 per share by DJI, which is a drone company, based on a tip coming from a Manhattan firm. In order to entice the reader, the email further goes on to say that the move would revolutionize the drone industry by creating the first independent drones that can be dispatched to areas of interest such as crime scenes, car chases, wild fires, etc.
Read more: New Spam Campaign via Necurs Botnet Tries to Manipulate the Stock Market
