Necurs Botnet is Back, Updated With Smarter Locky Variant

The notorious Necurs botnet is back in business, after mysteriously going dark for nearly a month. Researchers report the Necurs has returned to spewing massive volumes of email containing an improved version of the potent Locky ransomware and the Dridex banking Trojan.

According to Proofpoint which has been tracking Necurs, criminals behind the botnet began pushing out multimillion email message campaigns on Monday. This new activity is the first life Proofpoint has seen from the Necurs Botnet since it went dark on May 31.

“Analysis of the sending IPs associated with this campaign suggest that the Necurs spam cannon is functional again and, unfortunately, we expect both Dridex and Locky email campaigns to begin again in earnest,” wrote Proofpoint in its analysis of Necurs posted Thursday.

Necurs is widely believed to be one of the largest botnets (with 6.1 million bots) functioning and responsible for millions in dollar losses tied to ransomware and Dridex banking Trojan infections. Locky ransomware is best known for its $17,000 payday when it encrypted and held for ransom data owned by the Hollywood Presbyterian Medical Center in California back in February. Dridex, for its part, has netted tens of millions of dollars from victims based in the United Kingdom and the United States via banking Trojans infecting PCs.

For months Necurs, Dridex and Locky had honed an effective crime formula netting between $100,000 and $200,000 a day in criminal activity, Proofpoint estimates. Then on June 1 Necurs disappeared plummeting the volumes of Locky and Dridex infections.

“We have no idea why Necurs stopped, but we theorize it may have had something to do with a glitch in the command-and-control function of the botnet,” said Kevin Epstein, vice president of Threat Operations Center at Proofpoint.

Necurs activity was also spotted by researchers at AppRiver, MalwareTech and Deloitte’s Cyber Risk Services. Deloitte notes that the email messages delivered read as follows:

Dear (random name): Please find attached our invoice for services rendered and additional disbursements in the above-mentioned matter. Hoping the above to your satisfaction, we remain. Sincerely, (random name and title).  

Email delivering the zipped JavaScript distributing Locky ransomware - Proofpoint

Email delivering the zipped JavaScript distributing Locky ransomware – Proofpoint

Proofpoint said the Locky campaigns included zip attachments containing JavaScript code. Researchers also note that the new loader component to Locky included new anti-analysis tricks.

One of those tricks includes detecting whether or not it is running within a sandbox test environment versus a live infection. It does this via a complicated mathematical analysis measuring the time it take for the ransomware to execute API calls. “The malware compares the number of CPU cycles that it takes to execute certain Windows APIs. As you would expect, it takes more cycles in a VM environment to execute most Windows functions,” wrote Proofpoint.

A second obfuscation technique includes what Epstein a “tap dance within memory” for the cross-module execution of the Locky payload. Through a complex series of steps that include unpacking the Locky binary via RtlDecompressBuffer and overwriting the original loader image, attackers can relocate Locky instruction code in order to make manual analysis of memory dumps more difficult.

Epstein says Proofpoint is already tracking an escalation of Locky campaigns since Necurs came back online. He estimates Necurs is pushing out 80 to 100 million email messages each day.