CenturyLink on Thursday unveiled its new threat research and operations division, Black Lotus Labs, and shared information on the Necurs botnet that the division uncovered.

The mission of Black Lotus Labs is to use CenturyLink‘s network visibility to help protect customers and “keep the internet clean.” Black Lotus Labs does this is by tracking and disrupting botnets like Necurs, a prolific and globally dispersed spam and malware distribution botnet which has recently demonstrated a hiding technique to both avoid detection and quietly amass more bots.

CenturyLink’s Mike Benjamin

Mike Benjamin, head of Black Lotus Labs, tells Channel Partners the division is the evolution of CenturyLink’s “longstanding commitment to collaboration, sharing intelligence and proactively mitigating threats on the internet.” Black Lotus Labs’ work supports and informs CenturyLink’s global security solutions portfolio, he said.

“CenturyLink’s partners benefit from the work of Black Lotus Labs in a number of ways,” he said. “As the threat research and operations arm of the company, we derive our threat intelligence from one of the world’s largest internet backbones, which gives us tremendous depth to our field of vision when it comes to emerging and evolving threats. For example, we collect 114 billion NetFlow sessions each day, we monitor over 5,000 command and control servers on an ongoing basis, we respond to and mitigate roughly 120 DDoS attacks per day and we remove nearly 40 C2 (command and control) networks per month. Not only does the team’s research inform and evolve CenturyLink’s threat-intelligence offerings, but the operational work of proactively mitigating threats across the CenturyLink network is seamless to customers and partners.”

Necurs is the multitool of botnets, evolving from operating as a spam botnet delivering banking trojans and ransomware, to developing a proxy service, as well as cryptomining and DDoS capabilities, Benjamin said. CenturyLink took steps to mitigate the risk of Necurs to customers and notified other network owners of potentially infected devices to help protect the internet.

“Black Lotus Labs focuses primarily on botnets and C2s, as well as monitoring the tools, techniques and procedures of bad actors,” Benjamin said. “While we track many different malware families, we have recently shared intelligence on how TheMoon botnet evolved into a proxy as a service, how Mylobot acquired a second-stage, information-stealing attack capability and how Satori resurfaced with new infection targets.”

Beginning last May, Black Lotus Labs observed regular, sustained downtime of roughly two weeks, followed by roughly three weeks of activity for the three most active groups of bots comprising Necurs.

Necurs’ roughly 570,000 bots are distributed globally, with about half located in the following countries, in order of prevalence: India, Indonesia, Vietnam, Turkey and Iran.