Necurs is one of the largest botnets in the world. It's notably known for spreading malware like Locky and Dridex cryptolockers. In 2016 was responsible for more than 90% of the malware spread by email. Last December, Necurs went silent and since then no email activity containing this malware was observed until March, 22.
In the following 24 hours Necurs launched two bursts of emails containing spam. This huge botnet has a worldwide distribution:
This spam wave is only a plain text message. No attachments, no URLs only a message tipping you about an imminent acquisition of “Incapta Incorporated”.
As a result, Incapta Incorporated stock spiked. Some hours later another burst another message with similar content and this kept the stocks at a high value.
Today similar waves are still hitting our spam traps. It’s not a sustained peak, but the botnet is still sending spam en masse.
This kind of spam is known as “Pump & Dump” and is not new, even for Necurs. However this SPAM Pump&Dump is a change for what we were seeing coming from Necurs in the last few months.
One thing is for sure: Necurs botnet is back in action whether ransomware or pump & dump spam.
José Ferreira, Email Security Expert at AnubisNetworks