Notorious botnet Necurs is reportedly back again in the cyberspace with new capabilities. After a stretch of temporary inactivity, research by Black Lotus Labs discovered that the botnet’s latest campaign had new payloads to make itself invisible to detection by security tools.
Black Lotus Labs is the security arm of telecom company Century Link. In an article, the firm detailed how Necurs used DGA for its command and control server (C2) communications and shielded itself from being removed in the affected entity.
Detection evasion capabilities
“When the Necurs operators register a DGA domain to inform the bots of the new C2, the domain is not pointed to the real IP address of the new C2 host. Instead, the real IP address of the C2 is obfuscated with what is essentially an encryption algorithm. The bot will then “decrypt” the obfuscated IP address and contact the new C2.” read the article. When researchers of Black Lotus Labs tried to sinkhole these DGAs. It was due to the generation of new C2s by the botnet making it hard to detect real IPs.
Where are the targets - Necurs botnet was prominently present in five countries: India, Indonesia, Vietnam, Turkey and Iran. It was observed that one in five bots were seen in India. Furthermore, Necurs bots were said to be originating from Russia.