Necurs back with a vengeance - now gathering victims' data to improve success rates

The new strain takes screengrabs and reports errors back to malware authors

Malware constantly evolves as criminals find new ways around cyber defences; one of the reasons that the industry continues to move away from signature-based systems and towards an AI model. Some of those changes are more interesting than others, and a recent update to Necurs - highlighted by Symantec - is one of those.

The Necurs botnet - computers infected by malware of the same name, which acts as a downloader for other strains - has recently started firing off a new wave of emails spreading a variant of the Locky or Trickbot ransomware.]

So far, so standard. What's interesting is that the downloader has been weaponised.

Downloaders are often ignored in ransomware attacks; they simply carry the ‘real' payload and then disappear. The Necurs downloader, though, now contains functionality to gather telemetry from victims.

The first new addition is a Powershell script that takes a screenshot from the infected user's PC and then executes a command to send that image to a remote server.

Second is an in-built error reporting function, which scans the downloader for problems, records them and sends that information back to the malware authors. This suggests that the attackers are trying to gather operational intelligence about their campaigns, in order to improve success rates.

Necurs made a reappearance on the malware scene in March this year, and activity levels have been increasing since then. Symantec says, ‘With our data showing a resurgence in activity, and the apparent efforts to collect operational intelligence, we can expect to see continued evolution of the capabilities and a steady increase in Necurs activity levels in the coming months.'

Symantec telemetry shows Necurs emails with script attachments have grown fourfold since June