Today we want to dwell upon a pesky botnet that goes by the name of Necurs, and in particular its spamming activities. The botnet has been responsible for a massive amount of malware distributed via spam over the last 18 months. If you have recently encountered malicious emails with word documents containing macros, or JavaScript attachments, the odds are high that it was Necurs that spammed it out. What we wish to do here is to highlight our observations of Necurs to illustrate why it is such a menace.
The Necurs malware has been around since at least 2012, but it has only recently has come to light as the culprit behind the recent waves of spam which distribute malware that lead to malware such as Dridex and Locky, among others. It hit the news back in June when it was suggested the botnet had been disrupted. No such luck, as it turns out. After a few days the operation was up and happily spamming away again.
Necurs employs a kernel-mode rootkit, which hides and protects its other components, including the spam module which is the part that distributes the malware-laden emails. The botnet has a sophisticated hybrid command and control model. Commands can be sent from a central control server to individual bots as usual, but Necurs also has peer-to-peer capability where individual bots can share lists of control server IP addresses with each other. In addition, Necurs uses domain generation algorithms to try and identify control servers. These features give the botnet added resiliency against efforts to disrupt it.
Necurs bot performing DNS queries based on domain generation routines
Example of Necurs C&C Communication
Once a bot has successfully connected with a control server, a signed payload reply is sent back to the infected machine which may contain either C&C domains or IP addresses, or an update block (component updates). The downloaded payload may also contain email templates and attachments to be used in new spam campaigns.
Example spam message with attached Word document with malicious macro.
When Necurs decides to spam your domains, floods of emails follow. Over the past 12 months it has specialized in malware spam, although prior to that we observed it spamming non-malicious spam as well.
We track spam activity through our spam traps, and below we share some of the Necurs data that we have logged. The spam output from Necurs is subject to large bursts – the botmasters unleash their spam campaigns which typically run for short periods. The volume from Necurs hitting our traps sometimes exceeds 600,000 spams per hour. The other noteworthy thing is that these guys are professionals that don't like to work weekends, when there usually is a respite from the waves of spam.
Hourly spam output from Necurs showing large bursts of spam but quiet weekends
When Necurs is spamming in full-flight, we see spam originating from some 200,000 to 400,000 unique IP addresses per day, indicating a large botnet – and it is likely we only see a partial picture.
Necurs spam output – unique IP addresses per day
Below are the top 10 source countries of Necurs spam – indicating Necurs-compromised computers. The top 10 countries account for 70% of the total Necurs spam output.
Necurs spam by Country of Origin
Interestingly, and this is consistent with what others have found, there is a distinct lack of spam traffic from Russia, suggesting little in the way of Necurs-compromised machines there.
Distinct lack of Necurs spam originating from Russia
So what sort of attachments has Necurs been spamming out? The chart below shows the top filename extensions. Universally, the malicious attachment comes packaged in a zip file. Over the last month, inside those zips we see .js (JavaScript) and .wsf (Windows Script File) attachments, as well as Word documents with macros – the 'bin' below represents the macro file extracted from the Word document. Recently we have also seen the use of .hta (HTML application) files.
Top email attachments from Necurs. The 'bin' represents extracted macro files from the word docs
Regardless of the type of attachment, it usually contains a small, usually highly obfuscated script, the purpose of which is to download malware, which in turn can lead to more malware. The spam campaigns morph every day. Different campaigns, different email templates, different attachments, different payloads. It's malicious Word documents and Dridex one day, and JavaScript attachments and ransomware such as Locky the next. We previously analyzed one such campaign involving Locky which you can find here.
Here is another typical example, a JavaScript file with obfuscated code hidden inside a zip archive.
Typical Necurs spam with an obfuscated .js attachment
The ideal place to block malware spam is at the email gateway prior to it getting to the end-user. The email gateway should be able detect the vast bulk of Necurs-driven malicious spam. The output from Necurs is massive - it's not as though this traffic is going unnoticed. A multi-layered approach is key. IP reputation layers, and anti-spam layers play a huge part, as well as anti-malware detection layers.
However, the rapidly changing campaigns and payloads, and the enormous volume of emails sent, means that some samples may sneak through standard anti-spam and anti-malware layers. We would recommend bolstering these defenses with strict policies for inbound email, which should be run after the other layers. Consider quarantining these file types which the Necurs operation is particularly fond of:
Consider also quarantining inbound Word documents with macros. This is a significant and tricky step, as some legit Word documents do of course contain macros. Yet, some organizations have taken this step and feel it is appropriate given the potential threat involved. Remember, this is a policy for inbound email from the internet, not for internal traffic. (Note for Trustwave customers - the Secure Email Gateway (SEG) has a macro detection module that can be enabled, see here - requires customer login).
Necurs is a large botnet responsible for hundreds of millions, if not billions of malicious spam per day. It is a key way authors of malware such as Dridex and Locky distribute their creations to the masses. It is currently public enemy No.1 when it comes to malicious spam distribution – currently nothing else comes close.
https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/
http://www.malwaretech.com/2016/02/necursp2p-hybrid-peer-to-peer-necurs.html
https://www.malwaretech.com/2016/06/whats-happening-with-necurs-dridex-and.html
http://blog.anubisnetworks.com/blog/monitoring-necurs-the-tip-of-the-iceberg
https://www.johannesbader.ch/2015/02/the-dgas-of-necurs/
https://www.virusbulletin.com/virusbulletin/2014/04/curse-necurs-part-1
