The Necurs botnet is back spreading a downloader with new interesting features

Pierluigi Paganini October 18, 2017

The Necurs botnet is spreading a new downloader that takes screenshots of the victims’ desktops and Runtime Errors back to the operators.

The Necurs botnet is back once again, the dreaded botnet was spreading a downloader that takes screenshots of the victims’ desktops and Runtime Errors back to the attackers.

“Recently we have seen a resurgence of emails sent by the Necurs botnet. The latest blast of emails is spreading a new variant of the Locky ransomware (Ransom.Locky) or Trickybot (Trojan.Trickybot).” reads the analysis published by Symantec. “What’s interesting about this new wave is that the downloader now contains new functionality to gather telemetry from victims. It can take screen grabs and send them back to a remote server. There’s also an error-reporting capability that will send back details of any errors that the downloader encounters when it tries to carry out its activities.”

The Necurs malware spread via spam campaigns or through compromised web servers, last time we read about it in January when it was being used by crooks to deliver the Locky ransomware.

Now the Necurs Botnet, one of the world’s largest malicious architecture, is spreading a  downloader with two interesting new features.

  • The first feature consists in the addition of a Powershell script that takes a screengrab of the infected user’s screen, that is uploaded to a remote server after waiting a few seconds.
  • The second addition is a built-in error reporting feature that monitors the Necurs downloader for errors and sends collected info back to Necurs botmaster.

This is the first time that a downloader implements such kind of feature. experts believe Necurs operators gather intelligence about their campaigns.

“When you consider the screen grab functionality together with the new error-reporting capability, it suggests that the Necurs attackers are actively trying to gather operational intelligence (OPINTEL) about the performance of their campaigns. ” continues Symantec.

Collected data could allow the attackers to measure the efficiency of their campaign and detect when the malicious code has infected valuable environments, such as corporate networks.

The error reporting feature allows coders to fix bugs in their software improving their success rates.

The following graph reports the spam waves observed in the last months, after a period of silence from end of 2016 and into early 2017 it appeared again in March.

The evidence collected by the researchers suggest an intensification of the activities related to the Necurs botnet.

“Necurs went through a long spell of silence from end of 2016 and into early 2017. It burst back onto the scene around March and since then, it has been cranking up its activity levels, with recent months seeing the most action so far in 2017″ concludes Symantec.

“With our data showing a resurgence in activity, and the apparent efforts to collect operational intelligence, we can expect to see continued evolution of the capabilities and a steady increase in Necurs activity levels in the coming months.”

Necurs botnet activity-2017


[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini 

(Security Affairs – botnet, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment