Necurs Botnet Evolves to Hide in the Shadows, with New Payloads (Mar 1, 2019)
Black Lotus Labs researchers have published a report discussing the prolific “Necurs” botnet and a new technique the malware was observed using. The Necurs botnet is known to go through active and inactive cycles that are believed to be caused by threat actors conducting Command and Control (C2) infrastructure maintenance. This technique could also be uses to allow downtime for some C2 servers to avoid detection. Now researchers have observed that the botnet is spending most of its time in an inactive state, sometimes for several months, and only becomes active for about once per week for an unspecified, short period of time. The objective of this tactic is likely to increase the chances that the malware will remain undetected and continue its malicious capabilities such as conducting Distributed Denial-of-Service (DDoS) and downloading Remote Access Trojans (RATs), among other payloads. The largest number of infections in descending order are: India, Indonesia, Vietnam, Turkey, and Iran.
Recommendation: Botnets tend to take advantage of internet connected devices that have been misconfigured, leaving the door wide open to the world. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.