Threatpost reported that the notorious Necurs botnet is back in business, after mysteriously going dark for nearly a month. Researchers report the Necurs has returned to spewing massive volumes of email containing an improved version of the potent Locky ransomware and the Dridex banking Trojan.
According to Proofpoint which has been tracking Necurs, criminals behind the botnet began pushing out multimillion email message campaigns on Monday. This new activity is the first life Proofpoint has seen from the Necurs Botnet since it went dark on May 31.
Necurs is widely believed to be one of the largest botnets (with 6.1 million bots) functioning and responsible for millions in dollar losses tied to ransomware and Dridex banking Trojan infections.
Here is how the email messages look: "Dear (random name): Please find attached our invoice for services rendered and additional disbursements in the above-mentioned matter. Hoping the above to your satisfaction, we remain. Sincerely, (random name and title). "
A second obfuscation technique includes what Epstein called a “tap dance within memory” for the cross-module execution of the Locky payload. Through a complex series of steps that include unpacking the Locky binary via RtlDecompressBuffer and overwriting the original loader image, attackers can relocate Locky instruction code in order to make manual analysis of memory dumps more difficult. Epstein says Proofpoint is already tracking an escalation of Locky campaigns since Necurs came back online. He estimates Necurs is pushing out 80 to 100 million email messages each day.
Find out which of your users emails are exposed before the bad guys do.
The Email Exposure Check is a one-time free service. We will email you back a report containing the list of exposed addresses and where we found them within 2 business days, or sooner! Start here:
Don't like to click on redirected buttons? Cut & Paste this link in your browser instead:
(Hat Tip to Tom Spring at Kaspersky's Threatpost).