Even after six years in the wild, the team behind the Necurs is finding new uses for its malware botnet.
Trend Micro researchers Anita Hsieh, Rubio Wu, Kawabata Kohei noted a couple of new modules being inserted into Necurs, on pushing the XMRig cryptocurrency miner and the infostealers FlawedAmmyy RAT, AZORult, and a .NET module. These have replaced the spamming and proxy modules that Necurs was pushing out in 2017.
XMRig first appeared in March when it was shown to be able to mine Monero at the rate of about $1,200 per day, at least in one wallet studied by Trend Micro.
In April Necurs moved on to spread the remote access trojan FlawedAmmyy with its bots. This malware is derived from the legitimate remote desktop tool Ammyy Admin and so has similar abilities once ensconced on a computer. Primarily, the ability to remote desktop control, file system management, proxy support and audio chat capabilities.
May saw Necurs move on to email extraction through modules that would attack Outlook accounts searching for that application’s file containing email strings in the filenames and send those strings back to a website. A few days after this took place botnets carrying specially crafted versions of FlawedAmmyy RAT into checked using a keyword search if the previously gathered emails addresses contained any emails the threat actors wanted and then dropped the RAT on these.
A keyword cloud based on the threat actors search found them focusing on governments, financial institutions, tourism and food industries and real estate companies.
And starting in June Trend noticed the .NET spamming module being spread that is capable of stealing emails and credentials. Other features include sending spam while logged in to stolen email accounts and access a victim’s contact list stored in email clients and the email addresses with which a victim has previously corresponded. By using a method using the malicious actors are able to use legitimate, whitelisted accounts thus avoiding IP blocking security systems.