The Necurs botnet is back and active again, but instead of spreading the Locky ransomware or the Dridex banking trojan, its operators are engaged in a spam scheme that tries to boost a company's stock market price artificially.

This particular spam scheme has a special name in the infosec industry, which is "pump&dump." The idea behind pump&dump schemes is to send massive amounts of spam that try to convince users in buying stocks for a particular company.

As users flock to acquire the company's stock, the price surges. When Necurs spam has reached a desired share price value, the Necurs operators, or the people that rented the botnet, sell their stocks at the higher price and earn a profit.

This spam scheme has been around since the 90s, and has mainly targeted so-called "penny stocks," securities for small companies that sell under $5/share, whose prices can be influenced by a few hundreds of new buyers/sellers in a day.

Necurs pump&dump takes aim at InCapta stock

With a monthly bot population of 5 to 6 million unique bots, Necurs is the perfect spam botnet for these operations, as it can fling tens of thousands of messages per hour without breaking a sweat.

This latest pump&dump spam campaign targeted the stocks of InCapta Inc (INCT), a media holding company.

The spam campaign pushing for InCapta stock started on Monday morning, March 20, and resulted in an immediate share price spike.

InCaptcha share price evolution

Five different observers noted the new Necurs spam campaign, such as Cisco Talos, MalwareTech, MX Lab, My Online Security, and Dynamoo.

Necurs sent out four spam runs

According to MalwareTech, Necurs sent out four different spam waves on Monday (2 spam runs) and Tuesday (2 spam runs), keeping InCapta's stock at a heightened level.

According to Cisco Talos, the spam campaigns sent around tens of thousands of messages per hour, with the second wave being larger than the first.

Just as you'd expect, the spammed message didn't make any sense, trying to trick users into buying InCapta stock because of an impending acquisition by DJI, the world's leader in drone manufacturing.

The spam message incorrectly stated that InCapta had manufactured its own drone. With a little bit of research (Google search), users would have discovered that InCapta is a media company, and would have avoided wasting their money. Below are the first two spam messages sent during the first two waves. The third and fourth spam messages are here and here.

Necurs pump&dump stock spam for InCaptcha Inc.
Necurs pump&dump stock spam for InCapta Inc. (MalwareTech)
Necurs pump&dump stock spam for InCaptcha Inc.
Necurs pump&dump stock spam for InCapta Inc. (Cisco Talos)

Necurs returns to life

Prior to yesterday's spam run, the Necurs botnet has been extremely quiet. During 2016, Necurs had focused on delivering spam email with malicious attachments that installed the Locky ransomware or the Dridex banking trojan.

The botnet had gone silent before the winter holidays, as it does every year, but never came back to its previous activity levels, stopping the distribution of Locky altogether. Yesterday's pump&dump campaign was Necurs' biggest campaign this year so far, whose infrastructure was dormant for most of 2017.

Necurs had previously dabbled in pump&dump spam schemes, mostly in 2015 and earlier, before Locky. There were isolated pump&dump spam schemes in 2016, but nothing to eclipse its efforts on spreading Locky and Dridex.

Necurs' Locky infrastructure still dormant

According to Cisco's Talos team, Necurs operators appear to be using a different infrastructure for spreading Locky and another one for pump&dump spam.

As Necurs came back from its winter holiday slumber, Talos researchers say that only the pump&dump infrastructure came back to life, while the one responsible for Locky remains dormant.

"On the other hand, both of these campaign types share common recipients, hinting at the fact that Necurs operators may use a shared database of email addresses even when clients request different services," the Cisco Talos team explained.

Nonetheless, because ransomware has a wider attack base, compared to the small userbase susceptible to pump&dump schemes, most industry experts expect Necurs to return to spreading Locky or another ransomware family, as it's far more profitable than spreading any other type of spam.

Conrad Longmore, the researcher behind the Dynamoo blog has some advice for people taking their stock market tips from spam messages.

"Pump and dump spam like this is a criminal activity, and typically companies being promoted in this way are in terminal decline (but not always)," Longmore says. "Avoid buying stocks on the recommendation of criminals."