New Tricks of Necurs Botnet

Delaware, USA – April 30, 2018 – Necurs is one of the world’s largest botnets specializing in mass spam campaigns that can send more than 20 million emails a day. Attackers use it to distribute ransomware, banking trojans and cryptocurrency miners. The botnet is constantly evolving, and this month the researchers discovered new infection techniques used by Necurs as well as changes in botnet’s infrastructure that make it difficult to disable its command and control servers.

Researchers from Trend Micro discovered a campaign distributed archived .URL shortcut files. This technique allows attackers to disguise files as folders. When a victim executes .URL file, it opens the webpage with malicious script in a browser, which downloads and launches Quantloader malware. Quantloader allows attackers to ensure the persistence on the victim’s system and to use it as a downloader for more dangerous malware.

Previously, researchers from FireEye published a study in which they noted that many hacker groups, including the Necurs botnet operators, began to use blockchain infrastructure for malicious operations. Namecoin’s decentralized domains allow them to remain anonymous, and if their malicious actions are uncovered, it would be much more difficult for law enforcement agencies to shut down C&C servers.

Botnet Necurs has been distributing Windows malware for 6 years, constantly adopting new techniques to bypass security solutions. You can use Threat Hunting Framework for ArcSight to speed up investigation of suspicious events in your organization. This use case tracks URL, IP, domains and file hashes across all your log sources and controls Data Acquisition.