Microsoft announced that it has disrupted the botnet network of the Necurs malware, that has infected more than 9 million computers worldwide. They also hijacked its infrastructure as well.
This botnet takedown was conducted successfully after researchers broke the domain generation algorithm (DGA) implemented by the Necurs malware that enabled it to remain resilient for a long time.
The operation was the outcome of a coordinated operation involving international police and private tech companies across 35 countries.
DGA is a technique to unpredictably generate new domain names at regular intervals, that helps the malware authors to continuously switch the location of C&C servers and maintain undisrupted digital communication with the infected machines.
Microsoft stated that they were able to predict more than six million unique domains accurately that would be created in the next 25 months. The tech giant then reported these domains to their respective registries in countries globally so that the websites can be blocked and prevented from becoming part of the Necurs infrastructure.
Besides, Microsoft also had the court orders to obtain control over the U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers.
They managed to disrupt the botnet by taking control of existing websites and inhibiting the ability to register new ones.
Necurs was first detected in 2012 and is considered as one of the world’s most prolific spam botnet that infects systems with banking malware, crypto jacking malware and ransomware, and then further abuses them to send out huge number of spam emails to new victims.
Necurs made use of its kernel-mode rootkit that disables a large number of security applications, even Windows Firewall. This helped it to avoid being detected and maintain persistence on targeted computers.
Necurs came into light in 2017 when it started spreading Dridex and Locky ransomware at the rate of 5 million emails per hour to computers worldwide.
The cyber criminals mainly depended on Necurs to deliver spam and malware from 2016 to 2019 and was responsible for 90% of the malware spread by email worldwide.
Microsoft stated that during 58 days of investigation they have observed that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.
According to the latest reports, India, Indonesia, Turkey, Vietnam, Mexico, Thailand, Iran, Philippines, and Brazil are the top countries that have been impacted by the Necurs malware.