Names | Monty Spider (CrowdStrike) Gold Riverview (SecureWorks) | |
Country | Russia | |
Motivation | Financial gain | |
First seen | 2012 | |
Description | (IBM) Necurs emerged in 2012 as an infector and rootkit, and quickly partnered with elite cybercrime gangs to become part of the top spamming and infection forces in the malware realm. Unlike most botnets, Necurs stands out due to its technical complexity, partnership diversity and continued evolution in an era when even the most complex malicious infrastructures can no longer withstand disruption. In the past year alone, we have seen Necurs take on various roles. Linked with the spam distribution of the Dridex gang, it is used to spread one of the world’s most nefarious banking Trojans. It also moved to mass distributing Locky, Dridex’s ransomware child, then added distributed denial-of-service (DDoS) attacks. Most recently, Necurs moved to pump-and-dump stock scam distribution before returning to spreading millions of Dridex-laden spam emails a day. Necurs has been observed to distribute Dridex (Indrik Spider) Locky (Dungeon Spider), TrickBot (Wizard Spider, Gold Blackburn) and much of the malware from TA505, Graceful Spider, Gold Evergreen. | |
Observed | Countries: Worldwide. | |
Tools used | Necurs. | |
Operations performed | Feb 2016 | Necurs.P2P – A New Hybrid Peer-to-Peer Botnet <https://www.malwaretech.com/2016/02/necursp2p-hybrid-peer-to-peer-necurs.html> |
Jan 2017 | From the start, it became apparent that Locky's growth was powered by Necurs, a huge botnet of infected devices used to send email spam. <https://www.bleepingcomputer.com/news/security/numbers-show-locky-ransomware-is-slowly-fading-away/> | |
Mar 2017 | Spam Sent by Necurs Botnet Is Trying & Succeeding in Altering Stock Market Prices <https://www.bleepingcomputer.com/news/security/spam-sent-by-necurs-botnet-is-trying-andamp-succeeding-in-altering-stock-market-prices/> | |
Oct 2017 | Necurs Malware Will Now Take a Screenshot of Your Screen, Report Runtime Errors <https://www.bleepingcomputer.com/news/security/necurs-malware-will-now-take-a-screenshot-of-your-screen-report-runtime-errors/> | |
Nov 2017 | During the month of November, the Necurs botnet has returned to Check Point’s Global Threat Index’s top ten most prevalent malware. <https://blog.checkpoint.com/2017/12/11/novembers-wanted-malware-return-necurs-botnet-brings-new-ransomware-threat/> | |
Jan 2018 | World's Largest Spam Botnet Is Pumping and Dumping an Obscure Cryptocurrency <https://www.bleepingcomputer.com/news/cryptocurrency/worlds-largest-spam-botnet-is-pumping-and-dumping-an-obscure-cryptocurrency/> | |
Apr 2018 | World's Largest Spam Botnet Finds a New Way to Avoid Detection... For Now <https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/> | |
Jun 2018 | Necurs Poses a New Challenge Using Internet Query File <https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-a-new-challenge-using-internet-query-file/> | |
Aug 2018 | Necurs Targeting Banks with PUB File that Drops FlawedAmmyy <https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/> | |
Jun 2019 | Necurs Spam uses DNS TXT Records for Redirection <https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/necurs-spam-uses-dns-txt-records-for-redirection/> | |
Jan 2020 | Has Necurs Fallen From (Cybercrime) Grace? Elite Malware Botnet Now Distributes Clunky Scams <https://securityintelligence.com/posts/has-necurs-fallen-from-cybercrime-grace-elite-malware-botnet-now-distributes-clunky-scams/> | |
Counter operations | Mar 2020 | Today, Microsoft and partners across 35 countries took coordinated legal and technical steps to disrupt one of the world’s most prolific botnets, called Necurs, which has infected more than nine million computers globally. <https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/> |
Information | <https://securityintelligence.com/the-necurs-botnet-a-pandoras-box-of-malicious-spam/> <https://www.netformation.com/our-pov/casting-light-on-the-necurs-shadow/> <https://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html> <https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/> |
Last change to this card: 10 August 2021
Download this actor card in PDF or JSON format
Previous: Lunar Spider
Next: Moses Staff
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |