The Necurs botnet is known as the largest spam botnet in the world, particularly for distributing Locky ransomware and Dridex. Now, it looks like Necurs is taking on a new role as someone tries to manipulate the stock market.
The discovery was made by Cisco’s threat intelligence organization Talos, which notes that after being offline for several weeks, Necurs is back online.
They noticed that not only was it back online but it was spreading spam emails. This isn’t anythign new since that’s how malware is spread most often, but what stood out was the fact that the emails held no link or attachment.
“This is not the first time that Necurs has been used to send high volume pump-and-dump emails. In analyzing previous telemetry data associated with these campaigns, we identified a similar campaign on December 20, 2016 shortly before the Necurs botnet went offline for an extended period. This strategic divergence from the distribution of malware may be indicative of a change in the way that attackers are attempting to economically leverage this botnet,” reads the report.
No hyperlinks to malicious servers, malicious attachments
The regular email campaigns held via Necurs involved messages containing transaction notifications with shipping data, and so on. This time, there are no hyperlinks to malicious servers, malicious attachments or anything similar.
What the emails contain is a market alert about a specific stock ticker – $INCT – which is attributed to InCapta Inc, a mobile app development company. The message says that the stock is going to be bought out at $1.37 per share by DJI, which is a drone company, based on a tip coming from a Manhattan firm. In order to entice the reader, the email further goes on to say that the move would revolutionize the drone industry by creating the first independent drones that can be dispatched to areas of interest such as crime scenes, car chases, wild fires, etc.
“The network of drones operates by connecting to a cloud and complex algorithms efficiently dispatch the drones within moments of an incident being reported. This way the media outlet that owns the drones can be the first to the scene and get exclusive, live-streamed,” the message reads, adding an even more enticing element.
To add some urgency to the situation, the email claims the buyout is supposed to be announced on March 28, recommending purchase before then, saying the DJI is certainly going to pay a lot more than the current value, which means there’s a sure-fire way to get rich.