Saturday, June 22, 2024

Locky Ransomware Used Necurs Malware Again back To Form and Take a Screenshot of Your Screen

A Dangerous Necurs malware evolving again and spreading via new email campaign by Necurs bots or hacked web servers and mainly taking a screenshot of infected victims screen.

Necurs malware calls it as downloader or loader which infect the bootloader and download the second level of payloads like Ransomware or other persistent malware.

Recent days  Necurs Botnet mainly used to spreading a Locky Ransomware which is one of the dangerous ransomware in history that infected million of peoples around the World.

Necurs Malware also having an error reporting capability that will send back details of any errors that the downloader encounters when it tries to carry out its activities.

How Does Necurs Malware Works

Same as traditional invoice Social Engineering Email that contains a message urging the reader to open the attachment to check the invoice.

The email contains an attached .html file with embedded javascript and the javascript get executed then it will download a payload of Locky Ransomware.

Once it executes the Final Payload, it  will run a PowerShell script that takes a screenshot the Entire Screee and saves it with name as generalpd.jpg.
According to Symantec, This functionality is interesting because downloaders tend to just deliver a payload and then disappear as quickly as possible. When you consider the screen grab functionality together with the new error-reporting capability, it suggests that the Necurs attackers are actively trying to gather operational intelligence (OPINTEL) about the performance of their campaigns

Necurs Error Reporting capability helps an attacker to fix the Problem while Malware Performing in the Victims side and also helps to increase the success rate of attack same operating system Error reporting method that helps to fix the issue and build a better Product.

Symantec also provided a graphic with Necurs spam waves this year, confirming previous reports of increased activity in the past few months. Currently, the Necurs botnet is busy pushing the Locky ransomware and the TrickBot banking trojan.

Symantec Recommend users to follow the following Mitigations to secure from this Dangerous Malware.

  • Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
  • Always keep your security software up to date to protect yourself against any new variants of malware.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
  • Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.

Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles