Talos Security shares a research report on the Necurs botnet family, which has been in circulation for over 5 years

http://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html

Over the past five years the Necurs botnet has established itself as the largest purveyor of spam worldwide. Necurs is responsible for emailing massive amounts of banking malware, ransomware, dating spam, pump-n-dump stock scams, work from home schemes, and even cryptocurrency wallet credential phishing. Necurs sends so much spam that at times Necurs’ spam campaigns can make up more than 90% of all spam seen by Cisco Talos in one day.

Typically email campaigns from Necurs fall into one of two categories: high-volume weekday campaigns, or low volume continuous campaigns. Necurs has occasionally been seen sending high volume campaigns on weekends, but the vast majority of the time high volume campaigns are limited to the business week only. The mailing list database Necurs is using seems to be segmented, such that the high volume campaigns use one subset of email addresses from the DB, and the low volume campaigns use a different set of email addresses.

Of course one of Necurs’ most well-known payloads is ransomware. Necurs has been one of the biggest distributors of the Locky ransomware. Locky also works on an affiliate model. Inside of each locky sample, in the metadata, is an affiliate ID, which is always the same for Necurs mailings. Most of the time, very little investment is made in the design of the messages themselves, as in the following example.

Now that Necurs is back from their regular holiday break they are attempting to fill our inboxes with junk mail and malware once again. On one hand, the size of the Necurs botnet, and its ability to send from different nodes in every campaign makes it difficult to defend against; Standard IP address blacklists are ineffective against such tactics. Fortunately for network defenders, the fact that Necurs does relatively little to curate their recipient database limits the damage they can do. There are only so many times the same recipients will fall for Necurs’ same, repetitive tricks. We can expect that Necurs will continue to try variations on some of their tried and true attacks, and so user education against these threats remains paramount.