Necurs += DDoS
World’s largest spam botnet (5 million bots) adds proxy module with DDoS features, but will it really be used that way?
▻http://blog.anubisnetworks.com/blog/necurs-proxy-module-with-ddos-features
Necurs is a malware that is mainly known for sending large spam campaigns, most notably the Locky ransomware. However, Recurs is not only a spambot, it is a modular piece of malware that is composed of a main bot module, a userland rootkit and it can dynamically load additional modules.
[...]
At first look, it seemed to be a simple SOCKS/HTTP proxy module, but as we looked at the commands the bot would accept from the C2 [port 5222] we realised that there was an additional command, that would cause the bot to start making HTTP or UDP requests to an arbitrary target in an endless loop, in a way that could only be explained as a DDOS attack.
[...]
Please notice that we have not seen Recurs being used for DDOS attacks, we simply saw that it has that capability in one of the modules that it has been loading
The rest of their post contains the results of a technical analysis of this module, detailing its C2 protocol, the SOCKS/HTTP proxy features, and the DDOS attack features.