Necurs botnet

Necurs, the world's largest spam botnet, is currently sending millions of spam emails that push an obscure cryptocurrency named Swisscoin.

Such spam emails are known as pump-and-dump, and the technique relies on sending large quantities of spam to drive interest up towards a particular penny stock.

Spammers usually buy stock in advance at a low price and sell it at a higher value when the spam campaign drives up the price —hence the name of pump & dump.

Necurs pushes cryptocurrencies for the first time

Necurs, a spam botnet believed to have millions of bots, has been known to engage in pump-and-dump spam campaigns for years, being one of its primary activities, besides spreading the Dridex banking trojan, and several ransomware families.

What caught our eye and the attention of several security researchers was the fact that Necurs started promoting a cryptocurrency this week, instead of the usual low-end penny stocks that it got us accustomed to.

In a private conversation with Bleeping Computer, Derek, the security researcher behind the MyOnlineSecurity blog, confirmed to us that this was, indeed, the first time Necurs has promoted a cryptocurrency via one of its infamously large spam campaigns.

Necurs pushing Swisscoin

The cryptocurrency in question is Swisscoin, an altcoin that's been described as a Multi-Level-Marketing (MLM) ponzi scheme in a report last year, and for which trading was recently suspended.

Trading resumed on January 15, the same day the Necurs spam started spreading. Since the Necurs spam, the cryptocurrency lost 40% of its initial trading price.

It's unclear what is Necurs' impact on the Swisscoin trading price, mainly because there was no previous trading to compare the impact against.

Further, the price dip could be very well the result of people dumping Swisscoin when trading finally resumed after more than 50 days, and not necessarily the result of the "dump" phase following a Necurs pump-and-dump. In addition, Bitcoin's declining price could have also affected Swisscoin's own price.

According to reports from Conrad Longmore, VirusBulletin, and MyOnlineSecurity, the Necurs botnet has sent three different spam runs with the following subject lines:

This crypto coin could go up fifty thousand percent this year
Let me tell you about one crypto currency that could turn 1000 bucks into 1 million
Forget about bitcoin, there's a way better coin you can buy.

It was also seen sending dating spam and emails carrying files that spread the GlobeImposter ransomware.

The messages pushing the Swisscoin pump-and-dump were part of a huge spike in activity from the Necurs botnet, which came back to life this week after its annual holiday vacation. Each year, the Necurs botnet takes a break between early December and mid-January, as Necurs operators celebrate the end-of-year holidays.

Necurs operators taking a page out of John McAfee's book

We can only speculate on what drove Necurs operators to pump-and-dump cryptocurrencies, but we believe that John McAfee might have something to do with their decision.

For the past few weeks, the founder of the McAfee cyber-security firm has been promoting various cryptocurrencies in what he calls "Coin of the Day" tweets.

The cryptocurrencies McAfee promotes on his Twitter account almost always see a huge price spike that many users have exploited to dump coins at higher prices.

Related Articles:

Necurs Botnet Distributing Sextortion Email Scams

Fake Elon Musk Twitter Bitcoin Scam Earned 180K in One Day

Make-A-Wish Website Compromised for Cryptojacking Operation

Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

Compression File Formats of the past Come Haunting in Spam Campaigns