Following the news that AppRiver has warned that the Necurs botnet is back online and distributing malware, Jon French security analyst at AppRiver commented below.
Jon French, Security Analyst at AppRiver:
“Virus traffic has been huge so far in 2016. Mostly, this has been thanks to ransomware, and in particular, Locky distributed by the Necurs botnet. At AppRiver, we’ve been seeing malware traffic counts in the tens of millions daily for sometime now. It goes up and down, of course, but for the past three weeks it’s been almost entirely downs with volumes ranging from around 3-10 million malicious attachments a day – a significant decrease to the previous months’ traffic. However, yesterday, we noticed a sharp increase in virus traffic once again.
“In just a few hours steady malware as identified, with a little over 80 million tracked. This is likely related to the Necurs botnet, had been blamed for distributing huge volumes of Locky and Dridex related malware this year, essentially going offline around June 1st.
“The botnet wasn’t taken down, but randomly stopped performing its nefarious control of infected computers. With the Locky campaigns identified today bearing similarities to what we’ve seen before, it looks like Necurs is back and ramping up. Whether or not this is a temporary spike or a return to pre-June 1 “normalcy” is too early to tell.
“As for this current campaign, there are multiple different .js files coming in with most just being slight variations in format. The few I checked on VirusTotal had a 2/54 hit for them, so not many AV providers are catching the file itself (though they may trigger upon execution or other actions the malware takes). So far, the malware traffic accounting for this spike has been handled by rules added anywhere from one to three months ago. Some of these matches were because the .js malware is so similar to previous campaigns, and other rules added a few months ago are just now hitting today. Trying to stay ahead of malware and planning for future variations pays off where sometimes entire campaigns can be stopped at the first message in situations like this.”