Microsoft Disrupts Necurs BotnetCybercriminals Thwarted From Using Infrastructure for Attacks
Microsoft along with its partners from 35 countries has taken coordinated legal and technical action to disrupt Necurs, one of the largest botnets in the world, the company announced in a Tuesday blog post.
The disruption will help ensure that the cybercriminals behind Necurs will not be able to use major parts of the infrastructure to carry out cyberattacks, Microsoft says.
A court order from U.S. Eastern District of New York enabled Microsoft to take control of U.S. based infrastructure used by the botnet to distribute malware and infect computers, according to the blog by Tom Burt, the company’s corporate vice president of customer security and trust.
Since it was first observed in 2012, the Necurs botnet became one of the largest networks of infected computers, affecting more than 9 million computers globally. Once infected with malicious malware, the computers can be controlled remotely to commit crimes, the blog says.
During its operation to take down Necurs, Microsoft says it observed one Necurs-infected computer send 3.8 million spam mails to more than 40.6 million targets over a 58-day period.
The criminals behind Necurs, who are believed to be from Russia, use the botnet for phishing campaigns, pump-and-dump stock scams and dating scams and to spread banking malware and ransomware as well as fake pharmacy emails. The Necurs gang rents out access to infected computers to other cybercriminals under their botnet-for-hire service, according to the blog.
In 2018, Necurs was used to infect endpoints with a variant of the Dridex banking Trojan, which was used to target customers of U.S. and European banks and steal their banking credentials (see: Dridex Banking Trojan Phishing Campaign Ties to Necurs).
Researchers from Cisco's Talos security group also noted in 2017 that Necurs had shifted from ransomware attacks to sending spam emails aimed at influencing the price of cheap stocks (see: Necurs Botnet Shifts from Ransomware to Pump-and-Dump Scam)
Necurs was also found to have distributed the password-stealing GameOver Zeus Banking Trojan that the FBI and Microsoft worked to clean up in 2014, according to the blog.
Domain Registration Blocked
Microsoft says it disrupted the network by taking away Necurs’ ability to register new domains. The company analyzed a technique used by the botnet to generate new domains through an algorithm.
After analyzing the algorithm, the company was able to predict over 6 million unique domains that Necurs would have created over the next 25 months, the blog states. Microsoft says it reported the domains to the registries so the websites could be blocked before they can join the Necurs infrastructure.
Microsoft says its actions will prevent the cybercriminals using Necurs from registering new domains to carry out more attacks, which should significantly disrupt the botnet.
The company also says it has partnered with internet service providers around the world to work on ridding customers’ computers of the malware associated with Necurs.
Microsoft has also collaborated with industry partners, government officials and law enforcement agencies through its Microsoft Cyber Threat Intelligence Program to provide insights into cybercrime infrastructure.
The countries working with Microsoft include Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others, according to the blog.