Microsoft has announced that it has successfully disrupted a massive botnet network that is believed to have infected more than 9 million computers worldwide. Called ‘Necurs’, the malware botnet allowed cyber-criminals to remotely control compromised machines and use them to send spam mails, run ‘dating’ scams and more.
“Necurs is also known for distributing financially targeted malware and ransomware, cryptomining, and even has a DDoS (distributed denial of service) capability that has not yet been activated but could be at any moment”, said Microsoft on its official blog. According to the company, the Necurs botnet is one of the largest networks in the spam email ecosystem, with victims in nearly every country in the world. “During a 58-day period in our investigation, for example, we observed that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims”, said the company.
Believed to be operated by criminals based in Russia, the malware infects a victim’s system through either spam email attachments or malicious advertisements. “Once on a system, Necurs utilizes its kernel mode rootkit capabilities to disable a large number of security applications, including Windows Firewall, both to protect itself and other malware on the infected system”, claimed cyber-security ratings platform, BitSight, who worked alongside Microsoft to take down the botnet network.
Necurs was first detected in 2012 by Microsoft’s Digital Crimes Unit and others in the cyber-security community. It is used in a variety of illegal activities, but is “primarily known as a dropper for other malware, including GameOver Zeus, Dridex, Locky, Trickbot and others”. Its main uses have been as a spambot to deliver ransomware, financial malware and for running pump-and-dump stock scams. According to BitSight, it was the most prominent method to deliver spam and malware by criminals between 2016 and 2019, and was responsible for 90 percent of the malware spread by email worldwide.