Threat Management, Malware, Phishing

New Necurs variant uses internet shortcuts, Quant Loader to deliver payloads

An evolved variant of Necurs botnet malware is using .url files -- known as internet shortcuts -- as part of its infection chain in order to bypass conventional detection methods.

While previous versions of Necurs would send out malspam with .zip attachments containing malware downloaders, this newly discovered variant instead sends malspam emails with an internet shortcut to a downloader script. This script is executed remotely via the Server Message Block (SMB) protocol, possible as a means to evade spam filters, according to an Apr. 26 blog post from Trend Micro.

This script next produces Quant Loader, a secondary downloader that security researchers from Barracuda recently observed being used in a number of recent spam campaigns involving zipped Microsoft internet shortcut files with a .url file extension. Quant Loader then downloads the final payload.

"The use of Quant Loader may be twofold," states the Trend Micro blog post. "First, it adds another download stage before it downloads the final payload, possibly to mix things up and evade behavioral detections. Secondly, Quant Loader is persistent in nature -- it drops a copy of itself and creates an autorun registry so that it executes at startup."

Trend Micro further reports that the attackers behind the campaign are also taking advantage of the ability to change the internet shortcuts' clickable icons, altering them so that potential victims are tricked into thinking they received an ordinary folder with a file type that wouldn't normally arouse suspicions. In one spam sample, the attackers disguised a URL file as the ZIP file of a voicemail message.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.