Robert Conley

Necurs Delivers

Blog Post created by Robert Conley Employee on Jul 13, 2017

The shotgun effect

Botnets are the shotgun within a cybercriminal's arsenal.  They provide an amplified delivery mechanism for malware and other threats.  Deployment varies, but they are typically installed on an unsuspecting victim's system through the use of an exploit kit (EK).  They compromise a known system vulnerability to allow unauthorized access.  After taking control of a large group of systems, commonly referred to as zombies, a ‘botmaster’ will use them to conduct nefarious activities, like sending spam.

 

Some botnets are reported to have over one million zombies.  That’s a lot of spam blasted across the internet, and perhaps what Necurs is best known for.

 

This article will discuss the Necurs botnet, its architecture, highlight recent, notable payloads, and identify how RSA NetWitness products can identify it.

 

 

Necurs

Necurs is one of the largest botnets, some claim it's the largest.  Reports have it containing upwards of six million endpoints [1]. It was identified in 2012 and remains active on the threat landscape.  Its activity has seen periodic ebbs, but Blackhats continue using it.  With regards to payloads, Necurs has been responsible for delivering many high profile malware campaigns including Dridex, Locky, and Jaff.  It has also been used to transmit a slew of other spam and phishing attacks.  Security researchers recently observed that a new module was added to carry out distributed denial of service (DDoS) attacks [2].

 

Necurs is a highly resilient piece of malware.  Its strength and longevity can be attributed to many factors including a kernel-mode rootkit [8], modularity, anti-AV features, and domain generation algorithms [8].  Additionally, it contains a hybrid network architecture which leverages two different Command and Control (C2) models.

 

The first model uses centralized C2 servers and a flat hierarchy for managing and organizing a legion of zombies.  Although effective, it's also a weakness because it offers a central point of failure.  If law enforcement or other appropriate parties can disable or even blacklist a couple of servers they will have impacted the botnet.

 

To mitigate this weakness, Necurs uses a second model which has built-in peer-to-peer communications to provide C2 server redundancy [3].  Conceptually, it constitutes a meshed network wherein every node, server and client, talks to each other.  If one server becomes inaccessible others will not only detect it, they will initiate operations to promote another to replace it.  In so doing, they regain control of any orphaned zombies.

 

Detecting Necurs, or any botnet for that matter, is challenging because of its custodial role as a transport vehicle for other malware. Its presence is discreet and often discovered only after the transported malware has been exposed. With this in mind we’re going to discuss detection first as it pertains to transported malware, and then on Necurs.

 

 

Payloads

  • Jaff Ransomware

In May 2017 the Jaff ransomware was being delivered globally via a large, malicious spam campaign.  Researchers determined that its source was the Necurs botnet [4].  The malspam contains a PDF attachment.  Opening it shows one line of text, Figure 1.

Figure 1

 

 

A user is then prompted to open the embedded Word document, Figure 2.

Figure 2

 

 

Embedded Javascript macros open the Word doc which then download and execute an encrypted binary, the Jaff ransomware loader.  Analyzing the Word file on www.whatsthisfile.net produces a high threat score, Figure 3.

Figure 3

 

 

Figure 4 shows a Jaff Request/Response event using NetWitness for Logs and Packets.

Figure 4

 

 

The event’s meta, shown in Figure 5, is then reviewed to understand why the session was flagged.  In this instance, both host name and header count are strong indicators of suspicious activity.

Figure 5

 

 

After a victim's files are encrypted a ransom note file is dropped.  In it are instructions to visit a payment portal site.  Once there, a user can make a bitcoin payment in order to decrypt their files.

 

Kaspersky Lab provides a free decrypter utility for Jaff ransomware.  Their RakhniDecryptor application, version 1.21.2.1, can unlock files having either .jaff, .wlu, or .svn extensions [5].

 

 

 

  • Locky ransomware

First seen in 2016, Locky ransomware was sent via a Necurs spam campaign to millions of unsuspecting victims [7].  Each email contained an attached Microsoft Word document laden with malicious macros.  It’s engineered to execute when opened by the user and then downloads the loader.

 

A sample of Locky network traffic, seen in Figure 6, shows network communications direct to an IP address as opposed to a host name.

Figure 6

 

 

Figure 7 shows the Request contains a Post command instead of a typical Get. The infected host could either be transmitting data back to the downloader site or grabbing executables.

Figure 7

 

 

A close inspection of the streams confirms files are being sent, Figure 8.

Figure 8

 

 

Locky and Jaff share some common characteristics.  For example, they’re both ransomware, delivered via Necurs, and have similar payment pages.  Is it possible Jaff is a newer version Locky?  This doesn’t appear to be the case based on analysis conducted by RSA’s Data Science team.  The scientists applied fuzzy hashing techniques to executable code fragments and import libraries of each malware.  Their findings indicated a low degree of confidence that there’s a shared code base between the two. 

 

 

  • Trickbot Banking Trojan

In early June 2017 security researchers identified an email campaign delivering the Trickbot banking trojan.  Closer examination of the infection chain revealed that it was identical to that used for the delivery of Jaff ransomware.  This leads them to conclude that the Necurs botnet was the delivery mechanism [6].  Trickbot first appeared in late 2016 and targeted banks in the UK and Australia.  The current campaign has expanded targets.  Now included are France, Sweden, Norway, Finland, and Denmark.

 

Viewing Trickbot network traffic using RSA NetWitness Logs and Packets reveals the following about the malware.  It sends HTTP traffic over a non-standard port, Figure 9.

Figure 9

 

 

A closer examination of the sessions reveals HTTP traffic is being sent over port 443, instead of the standard port 80.  The destination is 203.150.19.63, Figure 10.

Figure 10

 

 

The session’s details present an exchange wherein a Get command retrieves an obfuscated cookie, Figure 11.  This will be injected into a user’s browser.  The server responds with a 404 Not Found page.  This is a diversion.  It’s used to distract the victim while the infection process executes.

Figure 11

 

 

Existing reports confirm the cookie is associated with the Trickbot Trojan.  Figure 12 shows one from www.hybrid-analysis.com.  Also seen is the ip address/port combination which were already identified.

Figure 12

 

 

 

 

  • Pump and dump spam

In early 2017 a significant upswing in pump and dump spam traffic was observed by the security industry.  The campaigns claimed to provide insider tips and information on supposedly ‘hot’ stocks. In reality, they were merely a social engineering ploy to entice recipients to buy now and then enjoy a handsome return on their investment at a later date [8].  This type of scam isn’t new.  As in the past, the goal is to pump up a stock’s price. After this happens, the perpetrator’s sell their shares and pocket a nice profit.  Close examination of email header configurations and recipients’ lists revealed strong similarities to previous Necurs based campaigns.

 

Figure 13 shows an email which targeted InCapta Inc (INCT). 

Figure 13, source www.bleepingcomputer.com

 

 

The stock’s price spiked during the spam run, Figure 14.

Figure 14, source https://www.bleepingcomputer.com

 

 

Unwanted emails of this nature can easily be filtered at the email server level.  In addition, using a messaging authentication protocol is another means of blocking unsolicited emails. The Domain-based Message Authentication, Reporting & Conformance protocol is one example, https://dmarc.org/.

 

 

  • Detecting Necurs

RSA NetWitness products can alert on and detect botnet activity in many different ways.  To illustrate, here’s a brief hunting exercise on Necurs malware in a controlled environment.  To facilitate it a few preliminary steps were taken.  They included detonating known Necurs malcode in a sandbox and pre-populating indicators of compromise (IOCs) into an RSA Live feed.  Clearly, these steps improved detection results. However, their primary purpose was to improve the clarity and logical flow of this hunting exercise as well as to demonstrate botnet activity.

 

To begin hunting I used NetWitness Security Analytics and loaded the RSA Threat Analysis profile, I focused on the meta labelled c2-domain, c2-ip, hostname aliases, and beaconing, all of which represent botnet behavior.  Beaconing is when zombies send small messages, often over either Transport Control Protocol (TCP) or Hypertext Transfer Protocl (HTTP), to C2 servers at predetermined intervals.  They’re used to exchange updates, get instructions, and issue keep-alive heartbeats.

 

Figure 15 shows captured network traffic.  Necurs IOCs appear in the c2-domain and c2-ip meta.

Figure 15

 

Hostname-aliases is a subset of the c2-domain category.  Ciiltire.com, circled in red in Figure 16, has been flagged.  It warrants closer scrutiny.

Figure 16

 

 

Cross referencing it on VirusTotal.com reveals malicious activity, see Figure 17.

Figure 17

 

 

Performing a double check on the domain’s reputation, using a site like surbl.org, is a good next step.  The results, see Figure 18, support the findings in the previous step.  Its integrity is questionable.

Figure 18

 

 

Returning to the Security Analytics interface, I proceeded to drill down on ciiltire.com in order to identify destination IP addresses.  I chose one to check, 192.185.129.5, shown in Figure 19.

Figure 19

 

 

Searching this IP address on Virustotal.com confirms malicious network traffic has been detected, Figure 20.

Figure 20

 

Returning to Security Analytics, I next investigated TCP beaconing meta, Figure 21.  It, too, confirmed Necurs activity.

Figure 21

 

 

Summary

Necurs is a massive botnet, possibly the largest in the world.  Its architecture has received periodic updates which have contributed to its versatility and longevity.  It has a track record of effectively using spam email to deliver ransomware, banking trojans, and many other malicious payloads.  Threat actors use Necurs’ wide reach to quickly saturate targeted markets with their campaigns, thereby increasing its potential infection rate.  

 

Thanks to Steven Sipes, Kevin Stear, Ray Carney, Ahmed Sonbol, and Lisa Bayen for their contributions to this blog post.

 

 

 

Hashes

Necurs

644ab8d77313f99c5103940b53768ac25e515d67478f05b517f12f50e087805b

42d15597c83ee42ec736b80cbb9c667d5538a4b14faa1bff2e4db981ab980097
3d9728ec88afe74e3ad5bee49c5c64a771f6d39b5f4b16fab280175b989d79a6

 

 

Jaff

2078e056553199dd6cb108fb3944e2b13009acabf76b52ed3ec36a429562df70

41bce3e382cee06aa65fbee15fd38f7187fb090d5da78d868f57c84197689287

0746594fc3e49975d3d94bac8e80c0cdaa96d90ede3b271e6f372f55b20bac2f

824901dd0b1660f00c3406cb888118c8a10f66e3258b5020f7ea289434618b13

 

 

Trickbot

ecc1cbdb2dd3b58ffb8a260dab2bcde93970ff63a4383a84e3f9d3dc15a1b4c7

79d96a62622e4efb01fda23cf81b759e0059ad3cd3083acff7fb4174b0b3d40c

5e363a42d019fc6535850a2867548f5b968d68952e1cddd49240d1f426debb73

 

Locky

2d967601187354d2b1f47bdbb5f6bc17472c9f3dcb202bef34528e908ab22eb4

2a40da48c9dc3e20bc6e30c986306ceccbc2d8be55b355b7a73d95c1a54319a4

f6c4e41e637a164f0f1fb8ef0dffe5639716c9c908d64cb3e87c675b28afd08c

e325dcb905b3adaaf5e33ef15a0c488f948dd90eb8577714c97482a3b7ad74bb

 

 

 

Necurs IOCs added to the RSA C2-IP and C2-Domain feeds

51.254.240.48

185.82.216.55

91.219.29.41

217.12.223.83

64.124.69.50

162.88.60.13

162.88.60.15

162.88.60.17

162.88.61.15

162.88.61.17

162.88.61.19

205.251.192.237

205.251.195.34

205.251.197.193

205.251.199.135

208.109.255.18

216.69.185.18

239.255.255.250

sportsandsocialchange.org

0hbtyHGROCKe67tfgc4uybfbnfmd.org

0hbtyHGROCKzonnit.com

ciiltire.com

yourworshipspace.com

rhvpwqledatdxerrx.info

sonuh5glplozcs2m.tor2web.org

 

 

 

References

[1] https://securityintelligence.com/the-necurs-botnet-a-pandoras-box-of-malicious-spam/

[2] http://securityaffairs.co/wordpress/56725/malware/necurs-botnet-ddos.html

[3] https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/

[4] https://www.flashpoint-intel.com/blog/necurs-botnet-jaff-ransomware/

[5] https://support.kaspersky.com/viruses/disinfection/10556#block2

[6] https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets

[7] http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html

[8] http://blog.talosintelligence.com/2017/03/necurs-diversifies.html

 

 

Additional reading

https://community.rsa.com/community/products/netwitness/blog/2017/05/17/hunting-pack-use-case-delivery-documents

https://community.rsa.com/community/products/netwitness/blog/2016/02/22/detecting-locky-variants-using-security-analytics

Outcomes