Necurs Botnet Diversifies with Stock Manipulation Instead of Ransomware

- March 21, 2017

Necurs, called the largest spam botnet in the world, has been dormant for months, but appears to have returned with a new attack method of pumping penny stocks through spam e-mail and cashing in by dumping them after a value spike.

Researchers at Cisco’s Talos security team discovered a new spike in spam messages sent through the Necurs botnet starting the morning of March 20. Historically, Necurs was a delivery method for Locky and Dridex, but this time around the actors behind the botnet seem to have opted for a totally different—and somewhat vintage–attack method.

“Necurs has been down since essentially Christmas,” Talos Technical Leader and Outreach Manager Craig Williams said. “And now it’s moved away from ransomware to an older tactic.”

It starts with a spam e-mail, promising an insider track on a stock that will produce high returns. The insidious part is the attack itself does not link to an exchange or a trading platform at all, but merely entices the user to not think and buy quickly before the opportunity is gone.

Williams speculates that there could be a number of reasons for this tactical change. Ransomware, to be successful, requires a compromise of the endpoint, which is a lot higher cost and risk. This “pump and dump” method, on the other hand, simply sends a spam message to the end user with an enticing message about a cheap stock and a promise of high returns. The a gullible investor on the other end will do the rest.

“It doesn’t matter what kind of anti-virus you have on this one,” Williams said. “If you fall for this one, you’ve made a legitimate stock transaction, so nothing to block there.”

The stock peddled in this attack is InCapta, Inc. (INCT), a company that purports itself to be a “media holding company that provides management services to online radio, cloud television and the entertainment industry.” Its legitimacy is speculative.

The method appears to be successful. Just in the time it took to interview Williams about the campaign, the InCapta stock volume moved up 80 percent.

InCapta stock seemed to jump in “value” right at the time of a surge in spam activity.

The other enticing component to the spam message itself is the false but alluring promise that the stock will soon be sold at $1.37 per share to DJI, a drone company. The supposed acquisition announcement would take place March 28.

Over the course of the morning of March 20, as is common in spam campaigns, messages were sent in high volumes, sometimes in batches of 10,000 or more at a time.

Talos researchers note that the latest Necurs attack is a good example of how attackers will change tactics over time.

It could be just a way eliminating effort, Williams said. “There’s no software. There’s no bugs to worry about,” he said. So both the risk and potential for failure are lower.

Talos researcher Jaeson Shultz also notes in a separate blog post from last year that Necurs has been seen distributing these pump and dump scams in the past.

Feature image: Olu Eletu,