It has been reported that the variants of the malware named Necurs are spreading. The malware mainly targets the Windows operating systems and is well known for its spamming and malware distribution functionalities. The malware mainly spread by means of spear-phishing emails containing phishing URLs or malicious attachments and also through dating sites.
It has the following functionalities:
- Anti-detection capabilities to hide by disabling Antivirus driver components or other security features.
- Spread banking Trojans, ransomware, RATs, info stealer or cryptocurrency miners
- Stop its activities for a period of time and then reinitiate with new commands for the infected hosts.
- Machines infected with necurs botnet make network connections to remote command and control server to receive commands and operate accordingly.
- Make use of victims email IDs to send spam emails.
- Spreads malware that is capable of launching DDoS attacks.
Necurs has kernel-mode rootkit capabilities, comprising of a kernel-mode driver and user-mode component, thereby giving the highest level of privileges to the attacker. Along with this, it also has modular architecture making it suitable to spread different malware and perform different functions when required.
Network Connections:
It uses a DGA (domain generation algorithm) to hide its activities and avoid detection. Every time a new domain is registered, its corresponding C2 server IP address is remain obfuscated which is then decrypted by the Bot to establish a connection with the remote C2 server. This encryption makes difficult to sinkhole these DGA domains.
The DGA Algorithms used are double edge DGA which uses 2 DGAs for domain generation. It is explained as follows:
- DGA1: Detects sandbox environment and generates only 4 domains at a time.
- DGA2: generates 2048 domains covering 43 different TLDs (top-level domains) and expires every fourth day.
Along with this, it also has some hardcoded domains to be used as fallback domains to call the C2 server.
IOC:
Malware Hashes:
For a list of complete file SHA 256 hashes, check the attachment:
- 03c770882e87585fea0272a8e6a7b7e37085e193475884b1316e14fb193e992d
- b0c173e0fc28e0f1bc8debfe49de01f306d372a0516d88201b87e441f3de303e
- b87e0dd9b0e032c6d2d5f0bf46f00243a2a866bf1d3d22f8b72737b4aa1148eb
- 00ca7e9e61a3ceaa4b9250866aface8af63e5ae71435d4fd6c770a8c9a167f22
Best Practices:
- Delete the system changes made by the malware such as files created/ registry entries /services etc.
- Monitor traffic generated from client machines to the domains and IP address mentioned in Installation section.
- Avoid downloading pirated software.
- Protect yourself from social engineering attacks.
- Scan infected system with updated versions of Antivirus solution
- Disable Autorun and Autoplay policies.
- Use limited privilege user on the computer or allow administrative access to systems with special administrative accounts for administrators.
- Do not visit untrusted websites.
- Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
- Enforce a strong password policy and implement regular password changes.
- Enable a personal firewall on workstation.
- Disable unnecessary services on agency workstations and servers.
- Always change default login credentials before deployment in production.