Originally observed in 2012, Necurs is a family of malware containing rootkit capabilities that was used to form one of the world’s largest criminal botnets. Necurs has both a user mode and kernel mode component used to access systems at the root level and dynamically load additional modules. It is distributed via exploit kits as well as through other malware such as the Zeus Trojan and has been used to deliver Dridex and Locky through spam campaigns.
It maintains connections to its C2 servers by employing several techniques at once: HTTP using a list of hardcoded servers, HTTP using servers obtained through a domain generation algorithm (DGA), and through a custom peer-to-peer (P2P) network used to transmit lists of HTTP C2 servers. Necurs also contains an algorithm that converts IP addresses that are received through domain name servers (DNS) to the actual C2 server IP addresses. This hinders the ability to sinkhole the malware unless this algorithm is reversed.
On March 28, 2016, Anubis Networks witnessed a spike in Necurs infections reaching over 650,000, up from their recorded average of 50,000 infections. On June 1, 2016, Anubis recorded the activity of nearly 1.1 million Necurs bots via their sinkhole after the Necurs C2 infrastructure mysteriously went offline the previous night. This allegedly led to the temporary disappearance of Dridex and Locky which both relied on the Necurs infrastructure to operate.
Around June 11, 2016, MalwareTech noticed a brief revival of the Necurs as new C2 servers were pushed to the botnet over approximately a 72-hour period. By June 19th the new Necurs C2 infrastructure had been reliably established and, on June 21st, Necurs began spamming a new Locky ransomware campaign.
On February 24, 2017, Anubis Networks reported having decrypted C2 communication traffic and observing a request made by a Necurs bot to load two distinct modules – a spam module and a DDoS module. The DDoS module could cause the bot to generate a flood of HTTP and UDP requests. At the time of this report, Anubis Networks had yet to witness the active use of this module by Necurs but had emphasized that this new capability could result in powerful DDoS attacks given the size of the botnet.
On May 11, 2017, Flashpoint observed the Necurs botnet distributing Jaff ransomware via a number of large spam campaigns. Flashpoint reports this botnet is comprised of a number of smaller botnets distinguishable by the seed value located within Necur's domain generation algorithm (DGA) code. Although each of the smaller botnets within the Necurs botnet may be used for different types of spam campaigns, they all use the same C2 infrastructure.
Reporting and Technical Details
- August 2015: Monitoring Necurs – The Tip of the Iceberg (Anubis Networks)
- June 2016: One of the World’s Largest Botnets Has Vanished (Motherboard)
- June 2016: What’s Happening with Necurs, Dridex, and Locky? (MalwareTech)
- June 2016: Necurs Botnet Reactivated: Locky Ransomware Emails Surge (SpamTitan)
- September 2016: Necurs – the Heavyweight Malware Spammer (Trustwave)
- January 2017: Without Necurs, Locky Struggles (Cisco Talos)
- February 2017: Necurs Proxy Module with DDoS Features (Anubis Networks)
- Necurs Botnet Monitor (MalwareTech)
- April 2017: Locky Returns Via Necurs (Cisco Talos)
- June 2017: Necurs Botnet Fuels Massive Spam Campaigns Spreading "Jaff" Ransomware (Flashpoint)
- November 2017: Massive Email Campaign Spreads Scarab Ransomware (Forcepoint)
- April 2018: World's Largest Spam Botnet Finds a New Way to Avoid Detection... For Now (Bleeping Computer)