Content, Breach, Phishing, Ransomware

Necurs Botnet: Don’t Open Suspicious Emails with Fake Invoices, They’re Ransomware Payloaded

Credit: Pixabay

No, there’s no rest for the weary. As if MSSPs didn’t have enough to worry about, the Necurs botnet, among the world’s most nefarious bugs that has zombied some six million endpoints, has transmogrified itself yet again. Symantec researchers detecting the botnet have seen a rush of emails spreading a new variant of the Locky ransomware and, in some instances, the Trickbot banking trojan.

Social engineering in emails is old hat to these Necurs guys. The reinvented botnet now, however, has a downloader attached that’s capable of taking screenshots of infected computers and routing them to remote servers. And, there’s a particularly cynical feature that gives the attackers feedback on how the payload-delivering downloader is doing. That’s right, the notorious spammers want performance details to improve the downloader. Have they no decency? Apparently not.

(Momentary sidetrack: Read this Security Intelligence blog for a comprehensive history of the Necurs botnet.)

Here’s how the scheme works (via Symantec):

  • In a standard social engineering gambit, a message arrives in your inbox with the subject line "Status of Invoice," an invoice reference number, and, of course, an attachment.
  • The message asks the receiver to attend to the invoice by opening the attachment. The attackers are banking, literally, on a goodly number of innocents either absent-mindedly, hurriedly or unknowingly clicking on the file rather than deleting the message. So far, it’s fairly standard stuff--- pounce on the vulnerable.
  • Once the attached file is opened, it downloads a JavaScript that, in turn, downloads the Locky or Trickybot payload. The downloader also runs a PowerShell script that takes a screenshot and saves it to a .jpg file that subsequently is uploaded to a remote server.

What’s particularly interesting is the error-reporting feature. It suggests the attackers want to eyeing details of problems that when fixed could improve the payload’s effectiveness, Symantec said.

“Much like crash reports in OSes can help software companies fix issues and build better products, these error reports can help attackers spot problems in the field and address them to improve success rates. After all, you can’t count on the victims to report back errors and issues!” Symantec’s Security Response team wrote.

Considering that Necurs activity has spiked in recent months after a relatively quiet period from the end of last year into early this year, the upshift to collect performance data is predictive.

“With our data showing a resurgence in activity, and the apparent efforts to collect operational intelligence, we can expect to see continued evolution of the capabilities and a steady increase in Necurs activity levels in the coming months,” the security provider said.

What’s to be done about it? Again, the best advice, Symantec offered, is to follow the standard cyber safety steps (security pros keep repeating them because they’re right).

  • Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
  • Always keep your security software up to date to protect yourself against any new variants of malware.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
  • Regularly backup any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.

In addition to Symantec, other security specialists have weighed in on the latest Necurs botnet. “This illustrates how cybersecurity has become a sophisticated, no-rules marketplace for the adversary," Gaurav Banga, Balbix founder and CEO, told MSSP Alert. "For cyber-defenders, this highlights the need to observe and analyze information and data about their users, assets and applications, better and faster than the adversary.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.