Security experts alerted that the Necurs botnet is back, spreading a downloader which takes screenshots of the victims’ desktops and Runtime Errors back to hackers.
“Recently we have seen a resurgence of emails sent by the Necurs botnet. The latest blast of emails is spreading a new variant of the Locky ransomware (Ransom.Locky) or Trickybot (Trojan.Trickybot).” the Symantec analysis states.
“What’s interesting about this new wave is that the downloader now contains new functionality to gather telemetry from victims. It can take screen grabs and send them back to a remote server. There’s also an error-reporting capability that will send back details of any errors that the downloader encounters when it tries to carry out its activities.”
The dreaded botnet Necurs is distributed via spam campaigns or through compromised web servers. In January, this year hackers used the malware for delivering the Locky ransomware.
Presently, the Necurs botnet is one of the world’s largest malicious architecture which is spreading a downloader with two new features:
- The first feature consists in the addition of a Powershell script that takes a screengrab of the infected user’s screen, that is uploaded to a remote server after waiting a few seconds.
- The second addition is a built-in error reporting feature that monitors the Necurs downloader for errors and sends collected info back to Necurs botmaster.
It is the first time when a downloader includes this type of features. According to security researchers, the creators of Necurs gather intelligence about their campaigns.
“When you consider the screen grab functionality together with the new error-reporting capability, it suggests that the Necurs attackers are actively trying to gather operational intelligence (OPINTEL) about the performance of their campaigns.” Symantec says.
The stollen information allows hackers to measure the efficiency of their campaign and detect when the malicious code has infected valuable environments like corporate networks, for instance.
The error reporting feature lets coders fix bugs in their software to improve their success rates.
According to the evidences collected by the security experts, there’s been an intensification of the activities related to the Necurs botnet since March, this year.
“Necurs went through a long spell of silence from end of 2016 and into early 2017. It burst back onto the scene around March and since then, it has been cranking up its activity levels, with recent months seeing the most action so far in 2017.″ Symantec explains.
“With our data showing a resurgence in activity, and the apparent efforts to collect operational intelligence, we can expect to see continued evolution of the capabilities and a steady increase in Necurs activity levels in the coming months.”