Necurs: Uncovering the Sophisticated Botnet

Reading Time: 6 Minutes

Introduction

Necurs is a well-known botnet that has been active in the cybersecurity landscape for a significant period. This botnet has demonstrated complexity and sophistication, continuously adapting to evade detection and causing significant harm to unsuspecting victims.

Necurs possesses the capability to distribute various types of malware, such as ransomware, banking trojans, and spam. Its attacks have had severe consequences, impacting numerous individuals/organizations worldwide, and resulting in substantial financial damages.

The botnet has consistently evolved and adjusted its strategies, making it challenging to track and disrupt its operations. Recent indications imply a period of inactivity, leading to speculation regarding potential permanent takedowns.

Within this article, we aim to provide an in-depth exploration of Necurs’ history, capabilities, and the adverse effects it inflicts upon its victims. Additionally, we will examine recent developments concerning this botnet, including mitigation efforts and the potential for its resurgence. Our analysis seeks to shed light on the ever-changing and intricate realm of cybersecurity, emphasizing the challenges in safeguarding against threats like Necurs.

Brief History of Necurs Botnet

Bitsight historical Necurs sinkhole events

Overall, the history of Necurs is one of resilience and adaptability. Despite facing significant opposition, the botnet has continued to evolve and operate, causing significant damage to individuals and organizations alike.

It was first discovered by cybersecurity researchers in 2012 and it was identified as a highly sophisticated botnet capable of performing a range of malicious activities, including distributing malware and sending out spam emails. Over the following years, Necurs began to evolve and adapt, with the botnet operators adding new features and capabilities to avoid detection and continue to operate.

In 2015-2016, Necurs became one of the most prolific distributors of ransomware, with the botnet responsible for distributing the Locky, Dridex, and Cerber ransomware families to victims around the world. This led to widespread damage and financial loss for individuals and organizations affected by the attacks.

In response to the threat posed by Necurs, the US Department of Justice launched an international operation in 2017 to take down the botnet. The operation was successful in seizing infrastructure and arresting suspects believed to be involved in its operation. However, the botnet continued to operate and adapt, with new versions and updates being released.

In 2018, eight individuals believed to be responsible for operating Necurs were indicted by the US Department of Justice. Despite this, the botnet continued to operate and cause damage. In 2019, Necurs went dormant for several months, leading some to believe that it may have been permanently taken down. However, in 2020, researchers observed new versions of the botnet’s malware being distributed to victims, indicating that it may still be active.

Technical Analysis

Dashboard with Necurs SPAM mail and Locky dropper/payload intelligence - uperesia.com

Establishing a Connection to Command-and-Control Server

The initial step of the Necurs infection process involves establishing a connection to its Command and Control (C2) server. The malware retrieves the IP address of the C2 server through various methods. It may contain embedded domains or raw IP addresses in encrypted form within its program resources. In case the initial connection attempt fails, Necurs employs a domain generation algorithm (DGA) to generate up to 2048 pseudorandom domain names. These names are based on the current date and a seed value hardcoded in encrypted resources. Multiple threads are used to test the generated domains until a responsive server is found. If all previous methods fail, the C2 domain is retrieved from the Peer-to-Peer (P2P) network, utilizing a hardcoded initial list of approximately 2000 peers in the form of IP and port pairs.

Example of Necurs C&C Communication - trustwave.com

Resource Download and Command Execution from C2 Server

Once a successful connection to the C2 server is established, Necurs proceeds to download a list of resources using a custom protocol over HTTP. Each resource is identified by a constant 64-bit number, which likely corresponds to a hash of a sensible name used in the malware’s source code. The received information from the C2 server includes various data such as a new P2P neighborhood (containing IP and port pairs), a list of new C2 domains, sleep commands (typically set to around twenty minutes), or requests to download and execute a Dynamic Link Library (DLL) module. Notably, every received request contains a sleep request, likely implemented to reduce the server’s load.

It was determined that the actual mail-sending routine resides in one of the dropped DLLs.

Payload

JSON:

%var boundary = b1_{{lowercase(rndhex(32,32))}}
%%var company = {{[subj]}}
%%var aname = {{lowercase(rndhex(10,12))}}
%%var f_sname = {{[eng_Surnames]}}
%%var f_name = {{[eng_Names]}}
%%var f_sname2 = {{[eng_Surnames]}}
%%var f_name2 = {{[eng_Names]}}
%%var fromname = {{f_name}} {{f_sname}}
%%var fromdomain = {{spf_host([domains_neutral])}}
%%var fromaddr = {{f_sname}}.{{rndnum(2,5)}}@{{fromdomain}}
To: “{{to_name}}” <{{to_addr}}>
Subject: bank transactions
Date: {{date}}
From: “{{fromname}}” <{{fromaddr}}>
Message-ID: <{{lowercase(rndhex(32,32))}}@{{to_host}}>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/related;
type=”text/html”;
boundary=”{{boundary}}”

–{{boundary}}
Content-Type: text/plain; charset=”utf-8″
Content-Transfer-Encoding: 8bit

Good morning {{to_name}}.

Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.

Yours truly,
{{fromname}}

–{{boundary}}
Content-Type: {{rnd(‘application/x-compressed’,’application/x-zip-compressed’,’application/zip’)}}; name=”{{aname}}.zip”
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=”{{aname}}.zip”
{{rnd([file.doc],[file1.doc],[file2.doc])}}
–{{boundary}}–

JSON payload, email template - akrasuski1

The payload transmitted by Necurs to send spam emails is formatted as JSON. The keys used in the JSON data are obfuscated, making it challenging to determine their meaning based solely on their names. The content of the emails is generated using a scripting language that allows for randomization, while the script language supports local variables declared with the %%var directive and utilizes predefined functions such as randnum. Additionally, the script includes references to external data, such as [file.doc], which are downloaded in separate requests. Upon inspection, it was discovered that these attachments, despite being named as file.doc, are actually ZIP archives containing a single JavaScript (JS) file. When executed, this JS file downloads and executes Zepto, a variant of the Locky ransomware.

Necurs Technical Details

Anti-Analysis Techniques

Necurs incorporates several anti-analysis techniques to evade detection and hinder analysis efforts. One such technique involves attempting random Command and Control (C2) connections to addresses provided as function arguments or their hashes. Additionally, Necurs employs virtualization detection mechanisms, such as checking for specific instructions like “vmcpuid” or “in al.” It also utilizes encryption to obfuscate communication with peers and the C2 infrastructure.

Resources

The botnet’s binary contains hidden constants stored in a separate section called “.reloc.” These constants are used for decryption purposes. The section following these constants, starting at offset 0x18, contains encrypted binary resources. Each resource is represented by a concatenated structure with the following format:

struct resource {

uint32_t size;  // Shifted left by 8.

uint64_t id;

uint8_t data[];

};

Resource example - akrasuski1

The size field is shifted left by 8, and the last field size is determined by size>>8.
These resources consist of important information such as initial peer or C2 communication keys and initial peer neighborhood lists, each identified by a unique identifier.

P2P Communication

Necurs utilizes a peer-to-peer (P2P) communication mechanism over the UDP protocol. The outermost layer of the communication is encapsulated in a structure called outer_layer:

struct outer_layer {

uint32_t key;

uint32_t checksum;

uint8_t data[];

};

Outer_layer - akrasuski1 

The wrapped data within this structure are encrypted using a key derived from the sum of the key field and the first 32 bits of the public key from the resources file. The encryption algorithm involves XOR operations and a linear congruential generator (LCG) algorithm.

C2 Communication

The communication protocol used by the C2 infrastructure of Necurs is similar to the P2P protocol but with some differences. The C2 communication is performed over HTTP using POST payloads. The initial stage, represented by the outer_layer structure, remains the same, but the encryption routines and structures differ. The decrypted data follow the structure defined by cc_structure.

struct cc_structure{

uint64_t random_data;

uint64_t botID;

uint64_t millis_since_1900;

uint8_t command; // 0 - get command, 1 - download file, 2 - ping.

uint8_t flags; // 1 - RSA sign, 2 - compress, 4 - timePrecision

uint8_t payload[];

};

cc_structure - akrasuski1

The payload field in cc_structure depends on the command type:

• For file download requests, the payload contains the SHA-1 hash of the requested file.
• In periodic command requests, the payload consists of a list of resources with different formats based on the resource type.

These resources provide various information such as DGA seed, malware start timestamps, OS version, IP address, and other relevant details.

Command and control (C2) complexity is achieved through layered C2 infrastructure using proxies to hide core infrastructure. First-tier C2 consists of cheap VPS in Russia, Ukraine, etc., which reverse proxy communications to second-tier C2 hosted in Europe or Russia before reaching the backend.

Necurs C2 flow between tier-1 and tier-2 - bitsight

Spam C2 Communication

The downloaded DLL module of Necurs is responsible for sending spam emails. The communication of this module is wrapped in a structure called spam_wrap, which is sent as POST data over HTTP. The structure includes the encrypted data, a CRC32 checksum, and a key.

The encryption algorithm used involves XOR operations and a rolling key. After decryption, the data is received as a JSON string, which may be compressed using the QuickLZ library.

In conclusion, the Necurs botnet employs sophisticated techniques to evade analysis and facilitate its malicious activities. By utilizing anti-analysis measures, P2P and C2 communication protocols, and encryption mechanisms, Necurs ensures stealthy operation and effective distribution of spam emails.

Takedown Operation

Geographic distribution of Necurs infections in the first seven days of March 2020. - Bitsight

The Necurs botnet was taken down through a coordinated effort led by Microsoft in early 2020. The takedown began after Microsoft and its industry partners successfully broke the Necurs DGA (domain generation algorithm), which is responsible for generating random domain names used by the botnet’s command-and-control servers.

By accurately predicting over 6 million unique domains that would be created in the future, Microsoft and its partners created a comprehensive list of these domains, effectively blocking and preventing the Necurs team from registering them. Additionally, Microsoft’s legal team obtained a court order granting control over existing Necurs domains hosted in the US.

This collaborative effort involved cybersecurity firms, internet service providers, domain registries, government CERTs, and law enforcement agencies across 35 countries. With control over the Necurs infrastructure, Microsoft and its partners sinkholed the botnet, gaining insight into the infected computers located worldwide.

As the final step of the takedown, Microsoft worked closely with ISPs and CERT teams to notify users who had been infected by the Necurs botnet. This proactive approach aimed to inform and empower affected individuals, enabling them to take immediate action and remove the malware from their computers. By collaborating with key stakeholders.

The creators of the Dridex banking trojan, known as Evil Corp and charged by US authorities, were believed to manage the Necurs botnet. However, Necurs also rented its services to various criminal groups, distributing a wide range of malware strains, including ransomware, remote access trojans, and information-stealing trojans.

Impact on Victims

The Necurs botnet was active for several years before it was disrupted by a coordinated effort of international law enforcement agencies and cybersecurity firms in March 2020. During its active period, Necurs infected millions of computers worldwide and caused significant financial losses to its victims.

According to cybersecurity firm Symantec, Necurs was responsible for distributing around 6 million spam emails per day at its peak in 2016. These emails contained malicious attachments or links to websites that would infect victims’ computers with malware, such as the banking Trojan TrickBot or the ransomware Locky.

Victims of Necurs also suffered financial losses from ransomware attacks. Researchers estimated that the botnet was responsible for distributing Locky ransomware to over 1 million victims, generating at least $7 million in ransom payments.

In addition to financial losses, Necurs also stole personal and sensitive data from its victims. In one case, the botnet was responsible for the theft of login credentials for over 1.2 million email accounts. The stolen data was then used for further criminal activities, such as phishing and identity theft.

Overall, the impact of Necurs on its victims was significant. A report by the Cyber Threat Alliance estimated that the botnet was responsible for over $10 million in damages per year. Victims ranged from small businesses to large corporations and government agencies, and the botnet’s reach extended to over 180 countries. The disruption of Necurs in 2020 was a major victory for the cybersecurity community in the ongoing fight against global cybercrime.

Lessons Learned

Mitigating spam emails and botnets like Necurs requires a comprehensive approach focused on the email gateway, where the bulk of these malicious messages can be intercepted before reaching end-users. Implementing a multi-layered defense strategy is essential in detecting and blocking such threats effectively.

To start, IP reputation layers and anti-spam measures should be in place to identify and filter out a significant portion of Necurs-generated spam. These layers utilize reputation databases and advanced algorithms to flag and block suspicious email sources. Additionally, anti-malware detection layers play a vital role in detecting and preventing malware payloads associated with botnets like Necurs.

However, due to the constantly evolving nature of spam campaigns and the sheer volume of emails being sent, it’s possible for some samples to bypass standard anti-spam and anti-malware measures. Therefore, it is recommended to reinforce the defense system with strict policies for inbound email, deployed after the initial layers of protection. These policies can include quarantining specific file types that are frequently utilized by the botnet operations, such as .js, .jse, .vbs, .vbe, .wsf, and .hta.

Organizations may also consider quarantining Word documents with macros, although this step requires careful consideration as legitimate documents may contain macros. It is important to apply these policies specifically to inbound emails from the internet and not internal traffic.

By implementing these countermeasures at the email gateway level, organizations can significantly reduce the risk posed by spam emails and botnets like Necurs, safeguarding their network and end-users from potential threats.

Collaboration among cybersecurity firms, internet service providers, domain registries, government CERTs, and law enforcement agencies is essential to disrupt and take down botnets effectively. The takedown operation of Necurs in 2020 demonstrated the importance of international cooperation and the successful use of legal actions and sinkholing techniques.

Overall, protecting against botnets like Necurs requires a proactive and multi-layered approach that combines technological defenses, user education, and collaborative efforts among various stakeholders in the cybersecurity community. By implementing these recommendations, organizations, and individuals can enhance their resilience against future botnet threats.

We hope that this article has taught you something new. If you enjoyed it, the best way that you can support us is to share it! If you’d like to hear more about us, you can find us on LinkedIn, Twitter, YouTube.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to Information Security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]