Necurs Updated to Use Internet Shortcut File


Necurs botnet is making one more update to compromise more online systems and increase the number of infected machine. Recently TrendMicro alerting of an update to Necurs where in the past it was using scripts and macros to infect users but now it makes the infection simpler by using URL file.

The world’s largest spam botnet consists of millions of computers worldwide. In a very long time in early 2017, Necurs was not active and it resumed activities in April 2017. In the past few months the botnet has been used to push some malware, including Locky, JAFF ransomware, GlobeImposter, Dridex Trojans, scarab ransomware and the Trickbot Trojan. February security researchers observed that Necurs botnet was used to send a large amount of Valentine’s Day messages.

Diagram of the evolved version of the Necurs malware (Sourced TrendMicro)

Diagram of the evolved version of the Necurs malware (Sourced TrendMicro)

The infection scenario described by TrendMicro is that cybercriminals were sending an email with a document attachment to the potential victim. Once extracted, the archive file will present a file with .URL extension. The .URL extension is associated with a Windows shortcut file that opens a URL in the browser. Once victim open the file on the browser the URL will lead to the remote script file, and after the file is downloaded, the final valid payload is executed.

Previously, Necurs’ JavaScript downloader downloaded the final payload. However, in the latest version, the remote script downloads QUANTLOADER (detected by Trend Micro as TROJ_QUANT), which is a new download program that downloads the final payload. This is another layer added to Necurs’ infection chain.

If you have a threat hunting tool you can add the following IOC’s to detect and prevent the attack:

03c770882e87585fea0272a8e6a7b7e37085e193475884b1316e14fb193e992d         TROJ_QUANT.K

b0c173e0fc28e0f1bc8debfe49de01f306d372a0516d88201b87e441f3de303e         TROJ_QUANT.J

b87e0dd9b0e032c6d2d5f0bf46f00243a2a866bf1d3d22f8b72737b4aa1148eb         TROJ_QUANT.L

00ca7e9e61a3ceaa4b9250866aface8af63e5ae71435d4fd6c770a8c9a167f22            TROJ_QUANT.K