Application security, Application security, Threat Management, Malware

Necurs botnet operation dismantled; millions of malicious domains disabled

A coalition of security-minded organizations led by Microsoft struck a major blow against the mighty Necurs botnet -- one of the largest in world -- dismantling its infrastructure in a global takedown.

Empowered by a court order, Microsoft not only took control of the Necurs operators' web domains, but it blocked an additional 6 million domains that the company predicted would be used by the cybercriminal organization over the next 25 months. Microsoft executed this preemptive move by analyzing Necurs' domain name generation (DNG) algorithm, extrapolating future domains based on said algorithm, and then reporting the domains to global registries so they could block them.

Necurs botnet malware is closely associated with the Russian cybercriminal group Evil Corp, which has used its botnet capabilities to distribute Dridex and TrickBot banking malware, the Locky and BitPaymer ransomware, and the Zeus trojan. Last December, the U.S. Justice Department announced that it filed hacking and bank fraud charges against two of its suspected members, including Maksim Yakubets, who has worked for the Russian intelligence agency FSB.

Evil Corp has been tied to a long rap sheet of malicious schemes, including stock scams, pharma spam campaigns, Russian dating scams, cyberattacks, crypto mining and the stealing of credentials, personal data and financials information. Moreover, the criminal outfit has rented out its robust infrastructure to other cybercriminals as a botnet service.

Since rearing its ugly head in 2002, the Necurs botnet has infected more than 9 million computers across the globe, said Tom Burt, corporate vice president of customer security and trust, in a blog post this week detailing the takedown operation. According to Burt, the operation took eight years of tracking and planning, and required the help of public and private partners around the world. Key among these partners was security ratings company BitSight, which provided additional commentary on the operation and the Necurs botnet infrastructure in its own blog post authored by researcher Valter Santos, senior security analyst.

From 2016 to 2019, Necurs was to blame for 90 percent of all malware spread via email, Santos reported. At one point during a 58-day period, one Necurs botnet-controlled computer sent out 3.8 million spam emails to over 40.6 million machines, Burt added.

It was the U.S. District Court for the Eastern District of New York that issued the order to disable the domains -- a decision precipitated by a March 5 legal complaint that Microsoft filed against Necurs' operators, who are identified as John Doe 1 and 2 in the official documents. In the complaint, Microsoft seeks injunctive relief and damages based on alleged violations of the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act, and seven additional claims.

"Necurs arrives into a victim’s system by being downloaded by other malware, through either spammed email attachments or malicious advertisements. Once on a system, Necurs utilizes its kernel mode rootkit capabilities to disable a large number of security applications, including Windows Firewall, both to protect itself and other malware on the infected system," the complaint states, describing the nature of the threat.

Victim machines that are "zombified" by the Necurs malware communicate with the attackers' command-and-control infrastructure using a combination of centralized and peer-to-peer (P2P) communication channels. The malware interacts with malicious domains that are hard-coded into its programming as well as the aforementioned DGA domains that are dynamically generated. It was the objective of the crackdown operation to neutralize both categories of domains.

Following the crackdown, Microsoft and its allies have been helping victims eradicate the botnet malware on their machines. "This remediation effort is global in scale and involves collaboration with partners in industry, government and law enforcement via the Microsoft Cyber Threat Intelligence Program (CTIP)," said Burt.

"For this disruption, we are working with ISPs, domain registries, government CERTs and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others," Burt added.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.