“Threat intelligence is something we’ve been doing for quite while, and we wanted to personify the function and give it extreme emphasis,” said Mike Benjamin, senior director of threat research at Black Lotus Labs, in an interview at RSA Conference. “The intent of the group is to continue to hunt malice in the internet but to also to continue to clean up the internet.”
“There’s a lot of people finding threat intelligence, but the ability to both find and act on it is part of our DNA,” added CenturyLink Chief Security Officer Chris Betz. “It’s that combination of seeing and acting that’s crucial, and that’s why we created Black Lotus Labs.”
Black is typically associated with evil (malice), and it’s the wardrobe color of choice for threat hunters. The lotus flower symbolizes purity, so that’s an easy hop to “clean up the internet.” But is there actually some deeper meaning behind the cool new name?
Benjamin and Betz say no. The team kicked around several names and “the engineers really loved Black Lotus,” Betz said.
And it makes for an easy-to-get-behind team tattoo.
New Necus Botnet Research
One of the first things the newly named research team has done is publish new information about the Necurs botnet — a prolific and globally dispersed spam and malware distribution botnet, which recently demonstrated a hiding technique to both avoid detection and quietly amass more bots.
While this particular botnet has been around for a number of years (it was first discovered in 2012), Black Lotus’ research provides better visibility into how it operates, and it uncovered new capabilities like the ability to go dark to avoid detection, then reemerging to send new commands to infected hosts, and then going dark again, Benjamin said.
“Necurs came up as a large spam botnet producing both junk email and malicious payloads” such as banking trojans and ransomware, he explained. It has since evolved into a proxy enabling other attackers to essentially use it as a botnet-as-a-service, and to enable cryptomining and DDoS capabilities. “We see it do everything from dating scams, pump and dump stock schemes through ransomware, and it is a starting point to many other threats,” Benjamin said.
CenturyLink took steps to mitigate the risk of Necurs to customers, and it also notified other network owners of potentially infected devices, Benjamin said. “This helps the internet stay clean, it helps educate our customers, and we [get to] track and remediate a threat.”