Contributors: Eduardo Altares, Wei Wang Dai, and Mingwei Zhang
Recently we have seen a resurgence of emails sent by the Necurs botnet. The latest blast of emails is spreading a new variant of the Locky ransomware (Ransom.Locky) or Trickybot (Trojan.Trickybot). What’s interesting about this new wave is that the downloader now contains new functionality to gather telemetry from victims. It can take screen grabs and send them back to a remote server. There’s also an error-reporting capability that will send back details of any errors that the downloader encounters when it tries to carry out its activities.
Beware of strangers offering fake invoices
The new emails use a tried-and-tested invoice-based social engineering format, and generally contain the following details:
Subject: Status of invoice [FAKE INVOICE NUMBER]
Attachment: [FAKE INVOICE NUMBER].html
The body of the email contains a message urging the reader to open the attachment to check the invoice.
Standard precautions apply here; when strangers offer you unsolicited invoices or deliveries via email, the safest course of action is to simply trash the email.
Figure 1. Typical invoice email sent by Necurs botnet
If the attached .html file is opened, it will download a JavaScript via an embedded iframe. The JavaScript will download the payload which will either be Locky or Trickybot.
Attackers need operational intelligence too
Besides the standard download and execute final payload functionality, the downloader also runs a PowerShell script that takes a screen grab and saves it to a file named generalpd.jpg.
It then waits a few seconds for the Save operation to complete and then starts off a command to upload the saved .jpg to a remote server.
Figure 2. PowerShell script that captures a screenshot and then uploads it
This functionality is interesting because downloaders tend to just deliver a payload and then disappear as quickly as possible. When you consider the screen grab functionality together with the new error-reporting capability, it suggests that the Necurs attackers are actively trying to gather operational intelligence (OPINTEL) about the performance of their campaigns. Much like crash reports in OSes can help software companies fix issues and build better products, these error reports can help attackers spot problems in the field and address them to improve success rates. After all, you can’t count on the victims to report back errors and issues!
[click_to_tweet:1]
Necurs: back with a vengeance
Necurs went through a long spell of silence from end of 2016 and into early 2017. It burst back onto the scene around March and since then, it has been cranking up its activity levels, with recent months seeing the most action so far in 2017.
Figure 3. Symantec telemetry shows Necurs emails with script attachments have grown fourfold since June
With our data showing a resurgence in activity, and the apparent efforts to collect operational intelligence, we can expect to see continued evolution of the capabilities and a steady increase in Necurs activity levels in the coming months.
Whatever the attackers choose to do, our analysts will be keeping a close eye on developments as the campaigns continue to evolve.
Mitigation
Symantec recommends users follow these best practices to stay protected from ransomware and other threats:
- Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
- Always keep your security software up to date to protect yourself against any new variants of malware.
- Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
- Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
Protection
Symantec and Norton products protect against these attacks with the following detections:
Antivirus
Intrusion prevention system