After a mysterious absence, the Necurs botnet has returned -- and it's moved away from distributing Locky ransomware.
After three months of near inactivity, one of the world's most prolific mailing botnets has returned - apparently re-purposed to carry out different cybercriminal activity.
The Necurs botnet was one of the biggest distributors of malware during 2016, sending millions of malicious emails in an effort to spread Locky ransomware. Locky became the most high profile form of ransomware of 2016, before mysteriously appearing to cease operations in late December.
It was speculated that the campaign dropped as the criminal actors behind it went on a Christmas holiday, but Necurs didn't return -- until now.
Cybersecurity researchers at Symantec have detailed how the group behind Necurs begun putting new command and control servers online in February before renewing spamming operations on March 20.
Since that date, Symantec says it has been blocking 100,000s of emails every hour that the campaign is running -- and that figure only represents a small proportion of the total volume of spam being sent by the botnet.
Necurs spam volumes logged since its return. Image: Symantec
But this time, those behind the botnet are using their army of zombie of devices not to deliver ransomware, but for something else entirely.
These emails claim to offer the target tips on stocks, often pretending that the victim has previously signed up to an investment newsletter. The email claims that the sender has inside information about a company, which is about to be sold for price per share more than ten times in excess of what it is currently trading for.
The emails appear part of a classic 'pump and dump' stock scam, Symantec said. Those behind the scams acquire large amounts of stock in small companies then use the emails to spread fake rumours about a major buy out or a new product.
Once the stock price rises, the criminals sell their shares, leaving anyone who actually bought shares as a result of the ruse out of pocket and with very little chance of recouping their investment.
The return of Necurs indicates the botnet hasn't lost any of its capabilities. Many of the hosts within Necurs have been infected for over two years, but the botnet uses techniques to stay as well hidden as possible. Often, infected hosts are used to send spam for two or three days, then rested for two or three weeks before continuing to send malicious messages.
It's currently unknown if Necurs will once again be used to start spreading malware in future -- but the success of the network means it remains a threat.
"The sheer size of its operations means that it will pose a threat regardless of what it is distributing," say Symantec cybersecurity researchers.
It was previously thought that Necurs had resumed activity in January, but cybersecurity researchers now believe that the associated Locky spam campaign was as a result of a different cybercriminal group.