Necur botnet resurfaces with added ransomware

Dridex and Locky delivered to victims via compromised computers as the Necurs botnet, dark since late May, starts up again.

Necurs has woken up again
Necurs has woken up again

Necurs, thought to be one of the world's largest botnets, has come back online and is infecting victims with the Locky ransomware and Dridex.

According to security researchers, the botnet went dark at the end of May. At the same time, email campaigns to infect computers with the Locky ransomware also dropped. But now the botnet is back up and running, delivering a new, more potent version of Locky as well as banking Trojan Dridex.

Researchers at Proofpoint have been tracking the Necurs botnet since its re-emergence just a couple of days ago.

“On the evidence of reused IP addresses, this campaign appears to be originating from the Necurs botnet. As of the writing of this blog on June 22, a second, much larger Locky campaign was underway, signalling a clear return of both Locky and the Necurs botnet,” said the researchers in a blog post.

A large Locky campaign with zip attachments containing JavaScript code was discovered. If opened, these attachments would download and install Locky.

It was noted that Locky added a new loader to evade analysis, targeting virtual machines (VMs) with poor maintenance of realistic processor timestamp counter values. Other evasion techniques used JavaScript to obfuscate code and cross-module execution to make manual analysis of memory dumps more difficult.

The researchers said that the introduction of new anti-VM and evasion techniques in the Locky ransomware loader “creates new challenges for analysts, sandboxes and vendors attempting to detect and mitigate the latest version of Locky”.

Just days ago, SC's technology editor Dr Peter Stephenson wrote that reports of the death of the Necurs botnet, as well as Angler EK, were premature. In his article he takes the reader through an analysis of Angler and Necurs.

Jon French, security analyst at AppRiver, told SCMagazineUK.com that the botnet wasn't taken down but “randomly stopped performing its nefarious control of infected computers”.

“With the Locky campaigns today being very similar to what we've seen before, it looks like Necurs is coming back and ramping up. Whether or not this is a temporary spike or a return to pre-June 1 ‘normalcy' is too early to tell,” he said.

“As for the campaign itself, there are multiple different .js files coming in with most just being slight variations in format. So far, the malware traffic accounting for this spike has been handled by rules added anywhere from one to three months ago. Some of these matches were because the .js malware is so similar to previous campaigns, and other rules added a few months ago have now hit. Trying to stay ahead of malware and planning for future variations pays off where sometimes entire campaigns can be stopped at the first message in situations like this.”

Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SC that botnets cannot be fought by shutting them down.

“It's a similar situation to the drug industry – once a drug baron is jailed, another one takes his place because there is a demand for drugs on the market. Demand creates supply, and while we have a demand for cybercrime services, botnets will exist,” he said.