Securelist Report: The Largest Botnet is Nearly Dormant

According to the Kaspersky Lab Securelist report “Spam and Phishing in Q1 2017,” activity from the world’s largest botnet sharply dropped and almost ceased completely in late December 2016. For almost the entirety of the first quarter of 2017, the Necurs botnet sat in a dormant state. And as one of the largest distributors of spam—mainly emails with malicious attachments—the number of malicious emails fell too.

Researchers at Securelist noted that the Necurs botnet was still active and the bots waited for commands; they wrote that the server was prepared for an uptick in activity. But the reason behind the decline in use—so suddenly and at a time when mail-spam seemingly peaked—remained unknown. “Perhaps the criminals behind the botnet got scared by all the fuss made about encryptors and decided to temporarily suspend their mass mailings,” researchers wrote.

The spam and generally malicious email content spewed by the botnet remained the same. Official looking bills, invoices, and even government documents—sent by email—maintained their position from 2016. In relative frequency, not quantity. These often involved a fake Microsoft Word document that, when opened, invoked a series of commands (macros) and silently downloaded a trojan of some sort. We covered an example of this in January 2017.

In January, DeepDotWeb reported a statewide announcement by the State Criminal Police Office in Rhineland-Palatinate. They warned of “invoice fraud” ransomware. One company’s logo and letterhead landed in inboxes and, aside from the phone number displayed, looked identical to the real thing. It came with two files: one, a PDF that, at the time, was completely safe. And two, an Excel spreadsheet that, “once opened, […] infects computers with ransomware.

Researchers came across another form of fraud that originated from the Necurs botnet. Pump and dump stock schemes that hit with extreme effectiveness. The size of the botnet allows a scammer to send out a massive number of emails in no time at all. Instead of slowly waiting for the words to spread, usually over an entire quarter, the orchestrators finish within two–three days.

A trend—independent of the Necurs botnet—was spotted in malware from password protected archives. They come in an email and, like other current frauds, take the form of a message from a trustworthy company. Securelist researchers said that recipients are more trusting with password protected documents. Once the user interacts with the file in the “correct manner,” a script downloads the Andromeda bot which, in turn, connects to a C2 server.

Fake notifications from online stores have also popped up. One example executes a piece of malware from a heavily modified variant of Zeus, the predecessor to the Floki Bot.

“This fake notification from an e-store contains a malicious script. On entering the password and launching the malicious content, the Receipt_320124.lnk file is created in the %TEMP% catalogue. It, in turn, downloads a Trojan-banker of the Sphinx family, which is a modification of the older and infamous Zeus, on the victim’s computer.”

Of the top ten malware families in 2017, only number nine changed. Trojan-Downloader.MSWord.Cryptoload. If anything similar to other Microsoft Word trojan downloaders, the victim machine needs macros enabled and this frequently requires social engineering of some sort. The number five has become a more popular “malware as a service” tool on the darknet, Securelist researchers wrote.

Other than some insignificant movements regarding percentages of spam emails per country or top target sectors (finance), little else changed in Q1 2017. Meanwhile, researchers attempt to find a reason for the sudden near-dormancy of the Necurs botnet. They expect it to return and create more email-related cybercrime than ever before.