The Necurs Botnet is back again with the new strategy of carrying payloads to evade detection. Read on to know more about this latest botnet…
The notorious Necurs Botnet is back again with the new strategy of carrying payloads to evade detection. Spear-phishing, financial crimes, and espionage have seen an increase when the botnet’s activity is observed.
After a stretch of temporary inactivity, research by Black Lotus Labs discovered that the botnet’s latest campaign had new payloads to make itself invisible to detection by security tools. Black Lotus Labs is the security arm of telecom company Century Link. In an article, the firm detailed how Necurs used DGA for its command and control server (C2) communications and shielded itself from being removed in the affected entity.
It was observed that one in five bots were seen in India. Furthermore, Necurs bots were said to be originating from Russia. According to McAfee Labs, who have been monitoring Necurs for a long time, the largest numbers of infections are to be found in India, Indonesia, Vietnam, Turkey, and Iran, with the infections in these countries accounting for the 50% of the total. About 16% of the Necurs bots are considered “orphaned” as they have lost their connection to the C&C server, something that has happened in 2016 on a larger scale for the particular botnet. The remaining active bots are up and running, but follow large periods of inactivity in order to avoid detection. Researchers fear that even the 16% that is seemingly dormant may wake up at some point in the future.
Necurs is believed to be using domain generation algorithms (DGA) to hide and avoid being taken down and the botnet’s latest campaigns include spear-phishing and espionage. Recent activity showed that the botnet was deploying information stealer programs and remote access trojans (RAT). The Necurs botnet is said to be modular i.e., there are various modules for spamming, for mining cryptocurrency as well as to perpetrate DDoS attacks.
In terms of architecture, Necurs employs a mix of C2, DGA, and peer-to-peer (P2P) communications. The C2 server is pushing up-to-date peer lists to the botnet, so it remains versatile and keeps its network traffic data obfuscated. If the C2 server communication is lost, the bots look for new instructions through the P2P and designated DGA. According to the researchers who are monitoring and try to contain the activity of Necurs, its use of DGA is where its power and also weakness comes from. As DGA groups are known beforehand, they can be sinkholed, allowing the researchers to analyze the botnet network traffic and server infrastructure. Still, as the situation stands right now, Necurs is a botnet that keeps on evolving, and one that we should continue to monitor.
“When the Necurs operators register a DGA domain to inform the bots of the new C2, the domain is not pointed to the real IP address of the new C2 host. Instead, the real IP address of the C2 is obfuscated with what is essentially an encryption algorithm. The bot will then “decrypt” the obfuscated IP address and contact the new C2.” read the article. When researchers of Black Lotus Labs tried to sinkhole these DGAs. It was due to the generation of new C2s by the botnet making it hard to detect real IPs.