ACG-CYBER SECURITY BULLETIN NO 121 UNDERSTANDING NECURS BOTNET
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).
The information provided was classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
The Necurs botnet is a distributor of many pieces of malware, most notably Locky ransomware and the Dridex banking Trojan. It infects the computer system when downloaded or sent as an e-mail attachment through a malicious spammed mail. Once downloaded, it disables security services and elements as their main routine. Necurs is combined with information theft as well as performing certain routines to avoid detection and make their presence persist (ensuring their automatic execution upon system startup). They may also drop component files and/or malware.
Computer users affected by Necurs variants will find the security systems compromised for it effectively shut down services and elements that relates to system security. One variant of Necurs is capable of deactivating the system firewall and disabling users from being able to turn it on again. The infected computer system may fall prey to other information-stealing malware that can give cybercriminals remote access capability to the infected system itself. Also, another variant of Necurs is capable of disabling security programs by disabling services with which it is associated with along with the drivers. This leaves the user’s system vulnerable of any other malware to attack it.
Necurs delivers mostly ransomware (especially Locky) and penny stock pump-n-dump spam, and it is known to send out dating and job spam.
Also, since the advent of cryptocurrencies, some of the campaigns has concentrating on cryptocurrency credential phishing and spam campaigns pumping less-known cryptocurrencies.
The spam e-mails it sends out are not very sophisticated, i.e., will not fool anybody but the most inexperienced users: they usually contain perfunctory text, a link or an attachment, and are often not even customized to address the recipients by name.
“These are among the worst, most unreliable sources for obtaining email addresses, and any legitimate email marketer wouldn’t last a day mailing to addresses such as these. Of course, an illegitimate botnet such as Necurs has no such concerns”.
Necurs installs rogue files, particularly with the function of modifying your browser proxy-related settings. As a result, your Internet access slows down and unwanted websites keep getting loaded through pop-ups or directly in the active browser window.
All PNP personnel and the public are advised to follow the tips in order to secure your business/personal online-banking transactions:
- Use trusted security software and set it to update automatically;
- Do not click on any links listed in the email message and do not open any attachments contained in suspicious email accounts;
- Do not enter personal information in a pop-up screen. Legitimate companies, agencies and organizations do not ask for personal information via pop-up screens;
- Do not email personal or financial information. Email is not a secure method of transmitting personal information; and
- Block pop-up windows, as it may help prevent malicious software from being downloaded to a computer
For additional information, please refer to the following websites:
POINT OF CONTACT