Necurs Botnet adopts a new strategy to evade detection

The Necurs Botnet continues to evolve, a new strategy aims at hiding in the shadows, and leverages new payloads to recruits new bots.

Necurs botnet is currently the second largest spam botnet, it has been active since at least 2012 and was involved in massive campaigns spreading malware such as the Locky ransomware, the Scarab ransomware, and the Dridex banking Trojan.
According to the experts, the Necurs botnet is currently composed of roughly 570,000 bots distributed globally, most of them in India, Indonesia, Vietnam, Turkey, and Iran. It has been estimated that there are about 90,000 “orphaned” Necurs bots in the wild.

The Necurs botnet was not active for a long period at the beginning of 2017 and resumed its activity in April 2017 when it was observed using a new technique to avoid detection.

Now Necurs has been spotted using a new evasion technique and that is allowing its operators to recruit more bots to the botnet.

According to the experts from Black Lotus Labs, a division of the telecom and ISP provider CenturyLink, Necurs operators regularly shutting down segments of their command-and-control (C2) infrastructure. Since May the C2 was active for roughly three weeks before going down for two weeks and then going up again.

“From the network perspective, Black Lotus Labs continue to see cycles of botnet inactivity shown by C2 infrastructure going offline and coming back online.” reads a blog post published by the firm.

“At times, they’ve been known to be inactive for weeks. Most recently, the C2s have gone offline for most of the last four months, coming online for short periods of time about once a week.”

The presence of tens of thousands of orphaned bots is worrisome, in any moment some of them could be recruited in the botnet with the necessary actions.

“Necurs is the multitool of botnets, evolving from operating as a spam botnet delivering banking trojans and ransomware to developing a proxy service, as well as cryptomining and DDoS capabilities,” explained Mike Benjamin, head of Black Lotus Labs. “What’s particularly interesting is Necurs’ regular cadence of going dark to avoid detection, reemerging to send new commands to infected hosts and then going dark again. This technique is one of many the reasons Necurs has been able to expand to more than half a million bots around the world.”

Black Lotus has also observed the evolution of the payloads used by the botnet operators.

“Most recently, Necurs has been seen pushing out infostealers and RATs, like AZOrult and FlawedAmmyy, to targeted hosts based on specific information found on infected hosts and deploying a new sophisticated .NET spamming module which can send spam using a victim’s email accounts.” continues the blog post. “These new capabilities represent a significant increase in Necurs’ ability to perpetrate spear phishing, financial crimes and espionage. “

CenturyLink described its efforts in trying to sinkhole the Necurs botnet, however, the operations are not simple because the malicious infrastructure leverages a domain generation algorithm (DGA) to obfuscate avoid takedown.

“When the Necurs operators register a DGA domain to inform the bots of the new C2, the domain is not pointed to the real IP address of the new C2 host,” the experts explained. “Instead, the real IP address of the C2 is obfuscated with what is essentially an encryption algorithm. The bot will then ‘decrypt’ the obfuscated IP address and contact the new C2. This prevents researchers from being able to identify new C2s simply by querying the DGA domains, but more importantly, it makes it difficult for researchers to sinkhole these DGA domains.”

Experts pointed out that DGA is a double-edged sword because allows security researchers to analyze DNS and network traffic to enumerate bots.

“Despite making it more difficult to takedown the Necurs botnet completely, its use of a DGA is a double-edged sword. Because the DGA domains it will use are known in advance, security researchers can use methods like sinkholing DGA domains and analyzing DNS and network traffic to enumerate its bots and C2 infrastructure, allowing them to mitigate much of the potential damage of this enterprising botnet.” concludes the post.

“CenturyLink has taken steps to mitigate the risk of Necurs to customers, in addition to notifying other network owners of potentially infected devices to help protect the internet. However, the evolution of Necurs’ capabilities and its global distribution make this botnet one the security community will need to continue to watch.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Necurs botnet, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]