The shotgun effect
Botnets are the shotgun within a cybercriminal's arsenal. They provide an amplified delivery mechanism for malware and other threats. Deployment varies, but they are typically installed on an unsuspecting victim's system through the use of an exploit kit (EK). They compromise a known system vulnerability to allow unauthorized access. After taking control of a large group of systems, commonly referred to as zombies, a ‘botmaster’ will use them to conduct nefarious activities, like sending spam.
Some botnets are reported to have over one million zombies. That’s a lot of spam blasted across the internet, and perhaps what Necurs is best known for.
This article will discuss the Necurs botnet, its architecture, highlight recent, notable payloads, and identify how RSA NetWitness products can identify it.
Necurs is one of the largest botnets, some claim it's the largest. Reports have it containing upwards of six million endpoints . It was identified in 2012 and remains active on the threat landscape. Its activity has seen periodic ebbs, but Blackhats continue using it. With regards to payloads, Necurs has been responsible for delivering many high profile malware campaigns including Dridex, Locky, and Jaff. It has also been used to transmit a slew of other spam and phishing attacks. Security researchers recently observed that a new module was added to carry out distributed denial of service (DDoS) attacks .
Necurs is a highly resilient piece of malware. Its strength and longevity can be attributed to many factors including a kernel-mode rootkit , modularity, anti-AV features, and domain generation algorithms . Additionally, it contains a hybrid network architecture which leverages two different Command and Control (C2) models.
The first model uses centralized C2 servers and a flat hierarchy for managing and organizing a legion of zombies. Although effective, it's also a weakness because it offers a central point of failure. If law enforcement or other appropriate parties can disable or even blacklist a couple of servers they will have impacted the botnet.
To mitigate this weakness, Necurs uses a second model which has built-in peer-to-peer communications to provide C2 server redundancy . Conceptually, it constitutes a meshed network wherein every node, server and client, talks to each other. If one server becomes inaccessible others will not only detect it, they will initiate operations to promote another to replace it. In so doing, they regain control of any orphaned zombies.
Detecting Necurs, or any botnet for that matter, is challenging because of its custodial role as a transport vehicle for other malware. Its presence is discreet and often discovered only after the transported malware has been exposed. With this in mind we’re going to discuss detection first as it pertains to transported malware, and then on Necurs.
- Jaff Ransomware
In May 2017 the Jaff ransomware was being delivered globally via a large, malicious spam campaign. Researchers determined that its source was the Necurs botnet . The malspam contains a PDF attachment. Opening it shows one line of text, Figure 1.
A user is then prompted to open the embedded Word document, Figure 2.
Figure 4 shows a Jaff Request/Response event using NetWitness for Logs and Packets.
The event’s meta, shown in Figure 5, is then reviewed to understand why the session was flagged. In this instance, both host name and header count are strong indicators of suspicious activity.
After a victim's files are encrypted a ransom note file is dropped. In it are instructions to visit a payment portal site. Once there, a user can make a bitcoin payment in order to decrypt their files.
Kaspersky Lab provides a free decrypter utility for Jaff ransomware. Their RakhniDecryptor application, version 188.8.131.52, can unlock files having either .jaff, .wlu, or .svn extensions .
- Locky ransomware
First seen in 2016, Locky ransomware was sent via a Necurs spam campaign to millions of unsuspecting victims . Each email contained an attached Microsoft Word document laden with malicious macros. It’s engineered to execute when opened by the user and then downloads the loader.
A sample of Locky network traffic, seen in Figure 6, shows network communications direct to an IP address as opposed to a host name.
Figure 7 shows the Request contains a Post command instead of a typical Get. The infected host could either be transmitting data back to the downloader site or grabbing executables.
A close inspection of the streams confirms files are being sent, Figure 8.
Locky and Jaff share some common characteristics. For example, they’re both ransomware, delivered via Necurs, and have similar payment pages. Is it possible Jaff is a newer version Locky? This doesn’t appear to be the case based on analysis conducted by RSA’s Data Science team. The scientists applied fuzzy hashing techniques to executable code fragments and import libraries of each malware. Their findings indicated a low degree of confidence that there’s a shared code base between the two.
- Trickbot Banking Trojan
In early June 2017 security researchers identified an email campaign delivering the Trickbot banking trojan. Closer examination of the infection chain revealed that it was identical to that used for the delivery of Jaff ransomware. This leads them to conclude that the Necurs botnet was the delivery mechanism . Trickbot first appeared in late 2016 and targeted banks in the UK and Australia. The current campaign has expanded targets. Now included are France, Sweden, Norway, Finland, and Denmark.
Viewing Trickbot network traffic using RSA NetWitness Logs and Packets reveals the following about the malware. It sends HTTP traffic over a non-standard port, Figure 9.
A closer examination of the sessions reveals HTTP traffic is being sent over port 443, instead of the standard port 80. The destination is 184.108.40.206, Figure 10.
The session’s details present an exchange wherein a Get command retrieves an obfuscated cookie, Figure 11. This will be injected into a user’s browser. The server responds with a 404 Not Found page. This is a diversion. It’s used to distract the victim while the infection process executes.
Existing reports confirm the cookie is associated with the Trickbot Trojan. Figure 12 shows one from www.hybrid-analysis.com. Also seen is the ip address/port combination which were already identified.
- Pump and dump spam
In early 2017 a significant upswing in pump and dump spam traffic was observed by the security industry. The campaigns claimed to provide insider tips and information on supposedly ‘hot’ stocks. In reality, they were merely a social engineering ploy to entice recipients to buy now and then enjoy a handsome return on their investment at a later date . This type of scam isn’t new. As in the past, the goal is to pump up a stock’s price. After this happens, the perpetrator’s sell their shares and pocket a nice profit. Close examination of email header configurations and recipients’ lists revealed strong similarities to previous Necurs based campaigns.
Figure 13 shows an email which targeted InCapta Inc (INCT).
Figure 13, source www.bleepingcomputer.com
The stock’s price spiked during the spam run, Figure 14.
Figure 14, source https://www.bleepingcomputer.com
Unwanted emails of this nature can easily be filtered at the email server level. In addition, using a messaging authentication protocol is another means of blocking unsolicited emails. The Domain-based Message Authentication, Reporting & Conformance protocol is one example, https://dmarc.org/.
RSA NetWitness products can alert on and detect botnet activity in many different ways. To illustrate, here’s a brief hunting exercise on Necurs malware in a controlled environment. To facilitate it a few preliminary steps were taken. They included detonating known Necurs malcode in a sandbox and pre-populating indicators of compromise (IOCs) into an RSA Live feed. Clearly, these steps improved detection results. However, their primary purpose was to improve the clarity and logical flow of this hunting exercise as well as to demonstrate botnet activity.
To begin hunting I used NetWitness Security Analytics and loaded the RSA Threat Analysis profile, I focused on the meta labelled c2-domain, c2-ip, hostname aliases, and beaconing, all of which represent botnet behavior. Beaconing is when zombies send small messages, often over either Transport Control Protocol (TCP) or Hypertext Transfer Protocl (HTTP), to C2 servers at predetermined intervals. They’re used to exchange updates, get instructions, and issue keep-alive heartbeats.
Figure 15 shows captured network traffic. Necurs IOCs appear in the c2-domain and c2-ip meta.
Hostname-aliases is a subset of the c2-domain category. Ciiltire.com, circled in red in Figure 16, has been flagged. It warrants closer scrutiny.
Cross referencing it on VirusTotal.com reveals malicious activity, see Figure 17.
Performing a double check on the domain’s reputation, using a site like surbl.org, is a good next step. The results, see Figure 18, support the findings in the previous step. Its integrity is questionable.
Returning to the Security Analytics interface, I proceeded to drill down on ciiltire.com in order to identify destination IP addresses. I chose one to check, 220.127.116.11, shown in Figure 19.
Searching this IP address on Virustotal.com confirms malicious network traffic has been detected, Figure 20.
Returning to Security Analytics, I next investigated TCP beaconing meta, Figure 21. It, too, confirmed Necurs activity.
Necurs is a massive botnet, possibly the largest in the world. Its architecture has received periodic updates which have contributed to its versatility and longevity. It has a track record of effectively using spam email to deliver ransomware, banking trojans, and many other malicious payloads. Threat actors use Necurs’ wide reach to quickly saturate targeted markets with their campaigns, thereby increasing its potential infection rate.
Thanks to Steven Sipes, Kevin Stear, Ray Carney, Ahmed Sonbol, and Lisa Bayen for their contributions to this blog post.
Necurs IOCs added to the RSA C2-IP and C2-Domain feeds