Necurs Botnet

Original Issue Date:- September 24, 2019
Virus Type:-Banking Trojan
Severity:- High

It has been reported that the variants of the malware named as Necurs are spreading. The malware mainly targets the windows operating systems and is well known for its spamming and malware distribution functionalities. The malware mainly spread by means of spear phishing emails containing phishing URLs or malicious attachments and also through dating sites.

It has the following functionalities:

  • Anti-detection capabilities to hide itself by disabling Antivirus driver components or other security features.
  • Spread banking Trojans, ransomwares, RATs, infostealers or cryptocurrency miners
  • Stop its activities for a period of time and then reinitiate with new commands for the infected hosts.
  • Machines infected with necurs botnet make network connections to remote command and control server to receive commands and operate accordingly.
  • Make use of victims email IDs to send spam mails.
  • Spreads malware that are capable of launching DDoS attacks.

Necurs has kernel mode rootkit capabilities, comprising of kernel mode driver and user mode component, thereby giving the highest level of privileges to the attacker. Along with this, it also has modular architecture making it suitable to spread different malwares and perform different functions when required.


Network Connections:

It uses DGA(domain generation algorithm) to hide its activities and avoid detection.Every time a new domain is registered, its corresponding C2 server IP address is remain obfuscated which is then decrypted by the Bot to establish connection with remote C2 server. This encryption makes difficult to sinkhole these DGA domains.

The DGA Algorithms used are double edge DGA which uses 2 DGAs for domain generation. It is explained as follows:

  • DGA1: Detects sandbox environment and generates only 4 domains at a time.
  • DGA2: generates 2048 domains covering 43 different TLDs(top level domains) and expires every fourth day.

Along with this, it also has some hardcoded domains to be used as fallback domains to call the C2 server.


IOC:

Malware Hashes:

  • 03c770882e87585fea0272a8e6a7b7e37085e193475884b1316e14fb193e992d
  • b0c173e0fc28e0f1bc8debfe49de01f306d372a0516d88201b87e441f3de303e
  • b87e0dd9b0e032c6d2d5f0bf46f00243a2a866bf1d3d22f8b72737b4aa1148eb
  • 00ca7e9e61a3ceaa4b9250866aface8af63e5ae71435d4fd6c770a8c9a167f22
  • For a list of complete file hashes, visit here


Best Practices:

  • Delete the system changes made by the malware such as files created/ registry entries /services etc.
  • Monitor traffic generated from client machines to the domains and IP address mentioned in Installation section.
  • Avoid downloading pirated software.
  • Protect yourself from social engineering attacks.
  • Scan infected system with updated versions of Antivirus solution
  • Disable Autorun and Autoplay policies.
  • Use limited privilege user on the computer or allow administrative access to systems with special administrative accounts for administrators.
  • Do not visit untrusted websites.
  • Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
  • Enforce a strong password policy and implement regular password changes.
  • Enable a personal firewall on workstation.
  • Disable unnecessary services on agency workstations and servers.
  • Always change Default login credentials before deployment in production.


References: