Necurs malware

A Dangerous Necurs malware evolving again and spreading via new email campaign by Necurs bots or hacked web servers and mainly taking a screenshot of infected victims screen.

Necurs malware calls it as downloader or loader which infect the bootloader and download the second level of payloads like Ransomware or other persistent malware.

Recent days  Necurs Botnet mainly used to spreading a Locky Ransomware which is one of the dangerous ransomware in history that infected million of peoples around the World.

Necurs Malware also having an error reporting capability that will send back details of any errors that the downloader encounters when it tries to carry out its activities.

How Does Necurs Malware Works

Same as traditional invoice Social Engineering Email that contains a message urging the reader to open the attachment to check the invoice.

The email contains an attached .html file with embedded javascript and the javascript get executed then it will download a payload of Locky Ransomware.

Once it executes the Final Payload, it  will run a PowerShell script that takes a screenshot the Entire Screee and saves it with name as generalpd.jpg.

According to Symantec, This functionality is interesting because downloaders tend to just deliver a payload and then disappear as quickly as possible. When you consider the screen grab functionality together with the new error-reporting capability, it suggests that the Necurs attackers are actively trying to gather operational intelligence (OPINTEL) about the performance of their campaigns

Necurs Error Reporting capability helps an attacker to fix the Problem while Malware Performing in the Victims side and also helps to increase the success rate of attack same operating system Error reporting method that helps to fix the issue and build a better Product.

Symantec also provided a graphic with Necurs spam waves this year, confirming previous reports of increased activity in the past few months. Currently, the Necurs botnet is busy pushing the Locky ransomware and the TrickBot banking trojan.

Symantec Recommend users to follow the following Mitigations to secure from this Dangerous Malware.

  • Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
  • Always keep your security software up to date to protect yourself against any new variants of malware.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
  • Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.