The New Face Of Necurs: Noteworthy Changes To Necurs' Behaviors


The New Face Of Necurs: Noteworthy Changes To Necurs' Behaviors (Jun 28, 2018)

The malware, Necurs, has changed its methods for utilizing its infected hosts (bots), researchers at Trend Micro have discovered. Recently, Necurs has begun installing XMRig, a Monero Miner, on its infected machines, gaining at least $1,200 USD in 24 hours. It has also started pushing the Remote Access Trojan (RAT), FlawedAmmyy, to its bots which utilizes the same functionalities of the remote access tool, Ammyy Admin, which gives the botmaster remote access to the machine, file system management, proxy support, and audio chat. Depending on if particular criteria are met, Necurs will push different modules through command and control (C2) commands to then installs the FlawedAmmyy RAT. Necurs has also begun pushing modules to extract emails, specifically Outlook, to drop the RAT. Necurs also appears to have changed its tactics for spamming. Necurs now uses a .NET module that can send emails and steal credentials via Internet Explorer, Chrome, and Firefox. Researchers have pieced together that threat actors are interested in government, financial institutions, tourism and food industries, and real estate companies. It is possible that this evolution of Tactics, Techniques, and Procedures (TTPs) for Necurs is leading up to future campaigns.

Recommendation: Researchers recommend that organizations utilize security software that detects malicious files, spam, and URLs. It is important to stay up-to-date with the latest security firmware. It is crucial to educate your employees to be aware of spam emails and not to open any link or download any file from an email one does not recognize. As malware further develops and adapts to bypass detection, it is critical that organizations stay informed of new TTPs of threat actors and utilize proper security hygiene.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.