Malware, Penny Stocks and Pharma Spam – Necurs Delivers

Email threats have always been a major part of the threat landscape. As the use of exploit kits and other malware distribution techniques have decreased, malicious spam campaigns play an even greater role in the distribution of malware to organizations around the globe.

Enter Necurs, the biggest player in the spam game today. Over the past couple of years, Necurs has singlehandedly transformed the email threat landscape and continues to innovate with regards to the distribution of malware downloaders. Widely considered to be the largest spam botnet on the planet, Necurs is responsible for a large percentage of the overall spam volumes seen around the globe every day. For being such a major threat, very little information has been published regarding its makeup and how it’s being operated by cybercriminals.

This talk will take a deep dive on the botnet itself and the ways in which C2 is handled. This includes analysis of some of the major spam campaigns for which it has been responsible including both malware distribution and other non-malware based campaigns, including stock based pump-and-dump. Additionally, we will discuss details of the C2 infrastructure and DGA capabilities we’ve observed over the last several months. We will also cover the modular nature of the Necurs malware itself, and how this multi-faceted threat is capable of generating revenue and damaging organizations without sending a single email.


Warren Mercer joined Talos coming from a Network Security background, having worked for previous vendors and the financial sector. Focusing on Security Research and Threat Intelligence, Warren finds himself in the deep, dark and dirty areas of the Internet and enjoys the thrill of the chase when it comes to tracking down new malware and the bad guys! Warren has spent time in various roles throughout his career ranging from NOC engineer to leading teams of other passionate security engineers. Warren enjoys keeping up to speed with all the latest security trends, gadgets and gizmos; anything that makes his life easier in work helps! Warren holds various professional certifications from SANS, ISC(2), Microsoft, Citrix, and of course Cisco!
Edmund Brumaghin is a threat researcher for Cisco Talos who has spent almost a decade in the information security industry, in a variety of different roles within security operations teams. He specializes in malware analysis and incident response and has worked to protect organizations across different industries including utilities, financial services, nuclear energy, etc. Working in various Security Operations Centers (SOCs) has given him insight into the daily operations of security teams, what happens during each phase of the incident response process, and how to quickly assess the severity of security incidents when they happen within an environment.
Nick Biasini’s interest in computers and technology started at a young age when he tore apart his parents brand new 486SX PC. Ever since he has been tinkering with computers in one way or another. In his time with Talos Nick has been responsible for exposing new details to major threats, with a focus on crimeware. This includes exposing the Angler exploit kit, identifying new techniques like Domain Shadowing, helping to stop a large scale Nuclear exploit kit campaign, and revealing clever spam campaigns delivering ransomware. Nick has a master’s degree in digital forensics from the University of Central Florida and has worked for government and private sector environments in his career.

Print Friendly, PDF & Email