Security Icon Microsoft

Microsoft announced today an international program to disrupt the spread of a popular botnet. In a statement from Microsoft India, the company says it collaborated with partners across 35 nations to disrupt the Necurs botnet.

Necurs is an oft-used botnet that is used to deliver malware, it has infected over 9 million machines around the world. Microsoft worked with collaborators in tech and government to lead a legal and technical effort against Necurs.

According to Microsoft, the investigation and following action took eight years and will ensure the existing Necurs networks can no longer be used by cybercriminals.

In a statement, Microsoft India says 13.59% of distinct infected IP addresses were within the country during the first seven days of this month.

“In India, the Microsoft Digital Crimes Unit partnered with the Computer Emergency Response Team (CERT-IN) and National Internet Exchange of India (NIXI) to disrupt cyberattacks led by the botnet. This effort prevented the criminals behind Necurs from registering new domains to execute attacks in the future in India.”

Long-Term Investigation

Necurs was first discovered by Microsoft in 2012, when the company’s Digital Crimes Unit teamed with BitSight and other security companies. Since then, Redmond has been working on disrupting the botnet.

In 2017, Necurs was used to deliver 12.5 million emails loaded with the Scarab ransomware. The emails read ‘Scanned from HP/Lexmark/Canon’, and has a 7zip file attached.

As in previous iterations, a VBScript file is contained in that file, and the code has several Game of Thrones references. The script mentions Samwell, Jon Snow, and more. Once the payload is delivered, this variant drops a copy of itself, sevnz.exe, in the app data folder.