The Necurs botnet is back with renewed vigour, and more tenacious than ever. Armed with more sophisticated obfuscation techniques that threaten the purposes of sandboxing, the Necurs botnet with Locky ransomware and Dridex banking malware is back.
The botnet became inactive in May 2016, and cyber security experts who were monitoring the activities of the Necurs botnet were wondering what had happened to the Locky campaign and botnet. The operators of the botnet had been enhancing the malicious potency of the ransomware.
The newly unleashed botnet attack was a multi-million message email campaign that delivered Locky ransomware in zip attachments – “.zip” files. When unwary, innocent users clicked on these attachments to unzip them, the malware infected the device/ system. The malicious file in the zipped attachment were JavaScript files with “.js” extension. The message in the email would mention that the attachment was the invoice for services rendered.
The new Locky had more tricks up its sleeve to bypass detection by anti malware programs that had sandboxing feature. A new loader had been added that targeted virtual machines wherein the realistic processor timestamp counter values were not maintained effectively. The Locky malware observes the CPU cycles taken for executing specific APIs. When compared to the normal environment, typical Windows functions take more cycles to execute in a virtual environment. This helps the malware detect the virtualization environment and hence detects the sandboxing environment and behaves like a legitimate file.
The second enhancement is the way the malware is executed from the JavaScript. It is executed with a specific argument to obfuscate its malicious intent. The third enhancement is an innovative cross-module execution method. After the antimalware application completes checking of the loader, the malware unpacks the Locky binary and overwrites the original loader code. Further, it obfuscates its actions in a highly sophisticated manner that makes detection very difficult.
In the coming days, cyber security experts foresee escalated attacks of Locky ransomware and Dridex banking malware with wider spread of the sophisticated Necurs botnet. Every day, Necurs is believed to be pushing out approximately 100 million malicious email messages. Cyber security experts are working towards finding out ways to analyze and detect the malware through sandbox and other techniques.
The complex Necurs botnet demonstrates the importance of effective sandboxes. Not all sandboxing technologies are the same. Further, the analyzing technology implemented in the sandboxes plays an important role in malware detection. Effective free antivirus protection depends on the efficacy of the default-deny technology, along with auto-sandboxing, host intrusion prevention systems and real-time malware scanning in any information security environment.
Tweet