An evolved variant of Necurs botnet malware is using .url files -- known as internet shortcuts -- as part of its infection chain in order to bypass conventional detection methods.
While previous versions of Necurs would send out malspam with .zip attachments containing malware downloaders, this newly discovered variant instead sends malspam emails with an internet shortcut to a downloader script. This script is executed remotely via the Server Message Block (SMB) protocol, possible as a means to evade spam filters, according to an Apr. 26 blog post from Trend Micro.
This script next produces Quant Loader, a secondary downloader that security researchers from Barracuda recently observed being used in a number of recent spam campaigns involving zipped Microsoft internet shortcut files with a .url file extension. Quant Loader then downloads the final payload.
"The use of Quant Loader may be twofold," states the Trend Micro blog post. "First, it adds another download stage before it downloads the final payload, possibly to mix things up and evade behavioral detections. Secondly, Quant Loader is persistent in nature -- it drops a copy of itself and creates an autorun registry so that it executes at startup."
Trend Micro further reports that the attackers behind the campaign are also taking advantage of the ability to change the internet shortcuts' clickable icons, altering them so that potential victims are tricked into thinking they received an ordinary folder with a file type that wouldn't normally arouse suspicions. In one spam sample, the attackers disguised a URL file as the ZIP file of a voicemail message.