Recently we noticed the Necurs botnet launching a small spam campaign with a HTML redirector as an attachment. The HTML is crafted to perform a DNS query to the spammer’s domain, obtain the DNS TXT Record and execute data within that record. This leads to redirection to unwanted advertisements and scam webpages. This is the first time we have seen this botnet delve into this strategy.
The emails spammed by Necurs had a subject “Delivery <Number>”. The email body is obfuscated using Cyrillic characters.
The emails have a single attachment named “invoic-<random alphanumeric>.html”. There are two versions of the HTML – one which renders a simple text that reads “Loading…” and executes a query to Google Public DNS, while the other type, without rendered text, uses JSONDNS for redirection. Let's delve into the analysis of these files below.
Attachment Type 1: Using Google Public DNS
Attachment Type 2: Using opensource JSONDNS
The other type of HTML attachment is simpler and smaller by using JSONDNS, an opensource DNS Service platform that performs DNS queries via HTTP.
Unfortunately for this HTML sample, the browser will not be able to display the intended URL as the command windows.location.replace is called twice. The URL in the browser will be replaced with the value of the rdata entry.
Necurs is still sending out spam campaigns from time to time, although the output from this botnet is now sporadic and small in volume. Though this campaign is low in volume, it is significant since it shows that the people behind this botnet are trying out new stuff. Now, they are exploring the world of DNS and have utilized the DNS TXT Record to hide the malicious/unwanted URLs from the email gateway scanners. Furthermore, they tried out the opensource JSONDNS which has support on cross-domain access (bypasses the same-origin-policy security model). Perhaps the operators are at an early stage of development of this type of spam campaign. The payload for many previous Necurs campaigns was malware, and it would not take much for the payload to switch from ‘harmless’ advertising to something more sinister.
While new to Necurs, the use of DNS TXT Record strategy is not new. For example, we observed that the Carbanak campaign last April 2017 also uses DNS TXT Record to obtain and execute the malware on the compromised system.