Cybercriminals behind the Necurs botnet have reactivated the zombie network and returned to their original business of using compromised machines as conduits for spam distribution.
In January, Cisco Talos reported that the Necurs botnet had gone offline, taking the typical volume of Locky ransomware-tainted spam emails with it.
Security researchers have once again detected an uptick of spam email from the Necurs botnet over recent days. Rather than distributing malware in the form of malicious attachments, it has shifted back to sending high volumes of penny stock pump-and-dump messages.
Necurs was abused to run a similar campaign in December 2016, shortly before the botnet went offline for an extended period. "This strategic divergence from the distribution of malware may be indicative of a change in the way that attackers are attempting to economically leverage this botnet," according to Cisco Talos.
A complete analysis of this Necurs activity can be found in a blog post by Cisco Talos here. Necurs is reckoned to be the largest spam botnet in the world, so changes in its behaviour can have a big effect in the type and volume of junk hitting inboxes. ®