Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Necurs – the Heavyweight Malware Spammer

Today we want to dwell upon a pesky botnet that goes by the name of Necurs, and in particular its spamming activities. The botnet has been responsible for a massive amount of malware distributed via spam over the last 18 months. If you have recently encountered malicious emails with word documents containing macros, or JavaScript attachments, the odds are high that it was Necurs that spammed it out. What we wish to do here is to highlight our observations of Necurs to illustrate why it is such a menace.

Necurs - Background

The Necurs malware has been around since at least 2012, but it has only recently has come to light as the culprit behind the recent waves of spam which distribute malware that lead to malware such as Dridex and Locky, among others. It hit the news back in June when it was suggested the botnet had been disrupted. No such luck, as it turns out. After a few days the operation was up and happily spamming away again.

Necurs employs a kernel-mode rootkit, which hides and protects its other components, including the spam module which is the part that distributes the malware-laden emails. The botnet has a sophisticated hybrid command and control model. Commands can be sent from a central control server to individual bots as usual, but Necurs also has peer-to-peer capability where individual bots can share lists of control server IP addresses with each other. In addition, Necurs uses domain generation algorithms to try and identify control servers. These features give the botnet added resiliency against efforts to disrupt it.

9666_65f99858-db2e-4501-a1b4-9426bd961148

Necurs bot performing DNS queries based on domain generation routines

9334_5480bacb-9d3f-4cdb-8407-80324d2bf85d

Example of Necurs C&C Communication

Once a bot has successfully connected with a control server, a signed payload reply is sent back to the infected machine which may contain either C&C domains or IP addresses, or an update block (component updates). The downloaded payload may also contain email templates and attachments to be used in new spam campaigns.

10738_97237d0f-839e-4462-8637-576e252a797f

Example spam message with attached Word document with malicious macro.

Necurs – Spam Output

When Necurs decides to spam your domains, floods of emails follow. Over the past 12 months it has specialized in malware spam, although prior to that we observed it spamming non-malicious spam as well.

We track spam activity through our spam traps, and below we share some of the Necurs data that we have logged. The spam output from Necurs is subject to large bursts – the botmasters unleash their spam campaigns which typically run for short periods. The volume from Necurs hitting our traps sometimes exceeds 600,000 spams per hour. The other noteworthy thing is that these guys are professionals that don't like to work weekends, when there usually is a respite from the waves of spam.

10340_84242eb9-6181-4f49-bf45-cf715983eaab

Hourly spam output from Necurs showing large bursts of spam but quiet weekends

When Necurs is spamming in full-flight, we see spam originating from some 200,000 to 400,000 unique IP addresses per day, indicating a large botnet – and it is likely we only see a partial picture.

11549_bea809f2-feed-4464-aaad-08da9f2b9f7a

Necurs spam output – unique IP addresses per day

Below are the top 10 source countries of Necurs spam – indicating Necurs-compromised computers. The top 10 countries account for 70% of the total Necurs spam output.

12896_feebe267-2950-44af-be7e-731ea61baf93

Necurs spam by Country of Origin

Interestingly, and this is consistent with what others have found, there is a distinct lack of spam traffic from Russia, suggesting little in the way of Necurs-compromised machines there.

11208_ae89a268-2800-40ed-a4a0-c46102478fdc

Distinct lack of Necurs spam originating from Russia

So what sort of attachments has Necurs been spamming out? The chart below shows the top filename extensions. Universally, the malicious attachment comes packaged in a zip file. Over the last month, inside those zips we see .js (JavaScript) and .wsf (Windows Script File) attachments, as well as Word documents with macros – the 'bin' below represents the macro file extracted from the Word document. Recently we have also seen the use of .hta (HTML application) files.

9565_6059800a-48cd-4237-8afb-b3e754d67e36

Top email attachments from Necurs. The 'bin' represents extracted macro files from the word docs

Regardless of the type of attachment, it usually contains a small, usually highly obfuscated script, the purpose of which is to download malware, which in turn can lead to more malware. The spam campaigns morph every day. Different campaigns, different email templates, different attachments, different payloads. It's malicious Word documents and Dridex one day, and JavaScript attachments and ransomware such as Locky the next. We previously analyzed one such campaign involving Locky which you can find here.

Here is another typical example, a JavaScript file with obfuscated code hidden inside a zip archive.

9322_53f7ec10-b68c-4445-a0f1-5d86a7834e21

Typical Necurs spam with an obfuscated .js attachment

Countermeasures for the Email Gateway

The ideal place to block malware spam is at the email gateway prior to it getting to the end-user. The email gateway should be able detect the vast bulk of Necurs-driven malicious spam. The output from Necurs is massive - it's not as though this traffic is going unnoticed. A multi-layered approach is key. IP reputation layers, and anti-spam layers play a huge part, as well as anti-malware detection layers.

However, the rapidly changing campaigns and payloads, and the enormous volume of emails sent, means that some samples may sneak through standard anti-spam and anti-malware layers. We would recommend bolstering these defenses with strict policies for inbound email, which should be run after the other layers. Consider quarantining these file types which the Necurs operation is particularly fond of:

  • .js, .jse
  • .vbs, vbe
  • .wsf
  • .hta

Consider also quarantining inbound Word documents with macros. This is a significant and tricky step, as some legit Word documents do of course contain macros. Yet, some organizations have taken this step and feel it is appropriate given the potential threat involved. Remember, this is a policy for inbound email from the internet, not for internal traffic. (Note for Trustwave customers - the Secure Email Gateway (SEG) has a macro detection module that can be enabled, see here - requires customer login).

Conclusion

Necurs is a large botnet responsible for hundreds of millions, if not billions of malicious spam per day. It is a key way authors of malware such as Dridex and Locky distribute their creations to the masses. It is currently public enemy No.1 when it comes to malicious spam distribution – currently nothing else comes close.

Further References on Necurs

https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/

http://www.malwaretech.com/2016/02/necursp2p-hybrid-peer-to-peer-necurs.html

https://www.malwaretech.com/2016/06/whats-happening-with-necurs-dridex-and.html

http://blog.anubisnetworks.com/blog/monitoring-necurs-the-tip-of-the-iceberg

https://www.johannesbader.ch/2015/02/the-dgas-of-necurs/

https://www.virusbulletin.com/virusbulletin/2014/04/curse-necurs-part-1

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More