Necurs - Background
The Necurs malware has been around since at least 2012, but it has only recently has come to light as the culprit behind the recent waves of spam which distribute malware that lead to malware such as Dridex and Locky, among others. It hit the news back in June when it was suggested the botnet had been disrupted. No such luck, as it turns out. After a few days the operation was up and happily spamming away again.
Necurs employs a kernel-mode rootkit, which hides and protects its other components, including the spam module which is the part that distributes the malware-laden emails. The botnet has a sophisticated hybrid command and control model. Commands can be sent from a central control server to individual bots as usual, but Necurs also has peer-to-peer capability where individual bots can share lists of control server IP addresses with each other. In addition, Necurs uses domain generation algorithms to try and identify control servers. These features give the botnet added resiliency against efforts to disrupt it.
Necurs bot performing DNS queries based on domain generation routines
Example of Necurs C&C Communication
Once a bot has successfully connected with a control server, a signed payload reply is sent back to the infected machine which may contain either C&C domains or IP addresses, or an update block (component updates). The downloaded payload may also contain email templates and attachments to be used in new spam campaigns.
Example spam message with attached Word document with malicious macro.
Necurs – Spam Output
When Necurs decides to spam your domains, floods of emails follow. Over the past 12 months it has specialized in malware spam, although prior to that we observed it spamming non-malicious spam as well.
We track spam activity through our spam traps, and below we share some of the Necurs data that we have logged. The spam output from Necurs is subject to large bursts – the botmasters unleash their spam campaigns which typically run for short periods. The volume from Necurs hitting our traps sometimes exceeds 600,000 spams per hour. The other noteworthy thing is that these guys are professionals that don't like to work weekends, when there usually is a respite from the waves of spam.
Hourly spam output from Necurs showing large bursts of spam but quiet weekends
When Necurs is spamming in full-flight, we see spam originating from some 200,000 to 400,000 unique IP addresses per day, indicating a large botnet – and it is likely we only see a partial picture.
Necurs spam output – unique IP addresses per day
Below are the top 10 source countries of Necurs spam – indicating Necurs-compromised computers. The top 10 countries account for 70% of the total Necurs spam output.
Necurs spam by Country of Origin
Interestingly, and this is consistent with what others have found, there is a distinct lack of spam traffic from Russia, suggesting little in the way of Necurs-compromised machines there.
Distinct lack of Necurs spam originating from Russia
Top email attachments from Necurs. The 'bin' represents extracted macro files from the word docs
Typical Necurs spam with an obfuscated .js attachment
Countermeasures for the Email Gateway
The ideal place to block malware spam is at the email gateway prior to it getting to the end-user. The email gateway should be able detect the vast bulk of Necurs-driven malicious spam. The output from Necurs is massive - it's not as though this traffic is going unnoticed. A multi-layered approach is key. IP reputation layers, and anti-spam layers play a huge part, as well as anti-malware detection layers.
However, the rapidly changing campaigns and payloads, and the enormous volume of emails sent, means that some samples may sneak through standard anti-spam and anti-malware layers. We would recommend bolstering these defenses with strict policies for inbound email, which should be run after the other layers. Consider quarantining these file types which the Necurs operation is particularly fond of:
- .js, .jse
- .vbs, vbe
Consider also quarantining inbound Word documents with macros. This is a significant and tricky step, as some legit Word documents do of course contain macros. Yet, some organizations have taken this step and feel it is appropriate given the potential threat involved. Remember, this is a policy for inbound email from the internet, not for internal traffic. (Note for Trustwave customers - the Secure Email Gateway (SEG) has a macro detection module that can be enabled, see here - requires customer login).
Necurs is a large botnet responsible for hundreds of millions, if not billions of malicious spam per day. It is a key way authors of malware such as Dridex and Locky distribute their creations to the masses. It is currently public enemy No.1 when it comes to malicious spam distribution – currently nothing else comes close.