The Necurs botnet had been inactive until recently.
The Necurs botnet had been inactive until recently.

The Necurs botnet is on the rise again, this time sporting a downloader that screengrabs the desktops of infected systems.

“It can take screen grabs and send them back to a remote server,” according to a blog post penned by Symantec researchers. “There's also an error-reporting capability that will send back details of any errors that the downloader encounters when it tries to carry out its activities.”

Working in conjunction with a new error-reporting capability, the screen grab functionality indicates that “Necurs attackers are actively trying to gather operational intelligence (OPINTEL) about the performance of their campaigns,” the researchers said. “Much like crash reports in OSes can help software companies fix issues and build better products, these error reports can help attackers spot problems in the field and address them to improve success rates.”

It's also further evidence of “how cybersecurity has become a sophisticated, no-rules ‘marketplace' for the adversary,” said Balbix founder and CEO Gaurav Banga. “For cyber-defenders, this highlights the need to observe and analyze information and data about their users, assets and applications, better and faster than the adversary.”