The infamous Necurs
Known for being the multipurpose Necurs botnet wearing different kind of role as its façade was initially introduced as infector and rootkit 7 years ago, and now well known for having partnered with top cybercrime rings and made its name as the top spamming and infection forces in the malware scene. Scaling from its operation as a spam botnet delivering banking trojans and ransomware to developing a proxy service, as well as cryptomining and DDoS capabilities. Necurs tempo changes from delivering commands to poisoned host and then become stealth to avoid detection. This technique is one of many reasons Necurs has been able to expand to more than half a million bots around the world.
Unearthed in one of the bulletproof hosting provider, incidentally the havens for malware, cybercrime operations, and child exploitation groups is situated in United States which they think has a highest chance of success when implanted specifically port 80 connections to download malware and from local web servers are more likely to succeed inside organizations that block traffic to, and from countries that fall outside of their typical profile of network. It comprises of five families of banking vectors such as trojans including Dridex and IcedID, two families of ransomware including GandCrab, and three information stealers. Threat actors planned to host each malware and play different role from email and hosting, and others in charge of malware operation.
How it was carried out
Served through social engineering and weaponized VBA macros on the attached Word file, thereby triggering a cloak malware download, it is fairly simple execution compared to the complexity of the vectors behind the attack. We cannot deny the fact that link between the organized threat actors together with the host operators were established as the basis compilation to hosting samples were first observed as less than 24 hours.
The Necurs botnet and its sorts carries powerful and diverse malware however, it can never be a match for good browsing and computer hygiene practices together with a reliable and proven security defense mechanism as well as acquainting oneself from the emergence of the newest threat campaign.