Necurs botnet packs new payloads to evade detection

• Necurs is believed to be using domain generation algorithms (DGA) to hide and avoid being taken down.
• The botnet’s latest campaigns include spear-phishing and espionage.

Notorious botnet Necurs is reportedly back again in the cyberspace with new capabilities. After a stretch of temporary inactivity, research by Black Lotus Labs discovered that the botnet’s latest campaign had new payloads to make itself invisible to detection by security tools.

Black Lotus Labs is the security arm of telecom company Century Link. In an article, the firm detailed how Necurs used DGA for its command and control server (C2) communications and shielded itself from being removed in the affected entity.

Worth noting

• Recent activity showed that the botnet was deploying information stealer programs and remote access trojans (RAT).
• The botnet is said to be modular i.e., there are different modules for spamming, for mining cryptocurrency as well as to perpetrate DDoS attacks.
• Spear-phishing, financial crimes, and espionage have seen an increase when the botnet’s activity is observed.
• In terms of architecture, Necurs employs a mix of C2, DGA, and peer-to-peer (P2P) communications.
• If C2 comms. fail, the botnet generates domains using DGA and communicates with other bots with P2P.

Detection evasion capabilities

“When the Necurs operators register a DGA domain to inform the bots of the new C2, the domain is not pointed to the real IP address of the new C2 host. Instead, the real IP address of the C2 is obfuscated with what is essentially an encryption algorithm. The bot will then “decrypt” the obfuscated IP address and contact the new C2.” read the article. When researchers of Black Lotus Labs tried to sinkhole these DGAs. It was due to the generation of new C2s by the botnet making it hard to detect real IPs.

Where are the targets - Necurs botnet was prominently present in five countries: India, Indonesia, Vietnam, Turkey and Iran. It was observed that one in five bots were seen in India. Furthermore, Necurs bots were said to be originating from Russia.