Necurs Botnet Evolves to Hide in the Shadows, with New Payloads

necurs botnet

Using an on-again, off-again strategy of C2 communication helps it hide from researchers.

Necurs, the prolific and globally dispersed spam and malware distribution botnet, has been spotted using a fresh hiding technique to avoid detection while quietly adding more bots to its web.

According to research from Black Lotus Labs, which is telecom and ISP provider CenturyLink’s network security arm, Necurs last year began implementing regular, sustained downtime segments for its command-and-control (C2) infrastructure – so that from about May of last year it was active for roughly three weeks before going quiet for two weeks, and then re-emerging again.

Most recently, the spells of downtime have elongated.

“At times, they’ve been known to be inactive for weeks,” the firm said, in a blog post on Thursday. “Most recently, the C2s have gone offline for most of the last four months, coming online for short periods of time about once a week.”

“Necurs is the multitool of botnets, evolving from operating as a spam botnet delivering banking trojans and ransomware to developing a proxy service, as well as cryptomining and DDoS capabilities,” said Mike Benjamin, head of Black Lotus Labs, in a media statement. “What’s particularly interesting is Necurs’ regular cadence of going dark to avoid detection, reemerging to send new commands to infected hosts and then going dark again. This technique is one of many the reasons Necurs has been able to expand to more than half a million bots around the world.”

Necurs is still the second-most prevalent of spam botnets just behind Gamut, according to the December report. Necurs’ roughly 570,000 bots are distributed globally, with about half located in the following countries, in order of prevalence: India, Indonesia, Vietnam, Turkey and Iran, according to Black Lotus telemetry. It estimates that out of those, about 90,000 are “orphaned” Necurs bots, meaning that they have no C2 communication.

“However, orphaned bots aren’t necessarily permanently removed from the botnet. We have recently observed DGA13 bots that had long been inactive regain communication with Necurs C2s,” researchers said.

In addition to the on-and-off again approach for its C2, the botnet’s payloads have evolved too, Black Lotus has observed.

“Last year, Necurs was used for spamming stock and cryptocurrency pump-and-dump schemes, as well as helping lonely individuals find love through dating site spam,” according to the blog. “Most recently, Necurs has been seen pushing out infostealers and RATs, like AZOrult and FlawedAmmyy, to targeted hosts based on specific information found on infected hosts and deploying a new sophisticated .NET spamming module which can send spam using a victim’s email accounts. These new capabilities represent a significant increase in Necurs’ ability to perpetrate spear-phishing, financial crimes and espionage.”

CenturyLink has been actively trying to sinkhole sections of Necurs, but the blog noted the difficulties in making that happen, thanks to the fact that Necurs uses a domain generation algorithm (DGA) to obfuscate its operations and avoid takedown.

“When the Necurs operators register a DGA domain to inform the bots of the new C2, the domain is not pointed to the real IP address of the new C2 host,” the firm explained. “Instead, the real IP address of the C2 is obfuscated with what is essentially an encryption algorithm. The bot will then ‘decrypt’ the obfuscated IP address and contact the new C2. This prevents researchers from being able to identify new C2s simply by querying the DGA domains, but more importantly, it makes it difficult for researchers to sinkhole these DGA domains.”

However, DGA is a double-edged sword: “Because the DGA domains Necurs will use are known in advance, security researchers can use methods like … analyzing DNS and network traffic to enumerate bots and the C2 infrastructure,” Black Lotus noted. It added, “In order to get the bot to talk to a sinkhole, the obfuscation function must be run against the real IP and the DGA domain’s A record must be set to the resulting value. This can be done by inverting the obfuscation algorithm and implementing it in the same way that the Necurs operators would.”

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.