The Necurs botnet is back with renewed vigour, and more tenacious than ever. Armed with more sophisticated obfuscation techniques that threaten the purposes of sandboxing, the Necurs botnet with Locky ransomware and Dridex banking malware is back.
The botnet became inactive in May 2016, and cyber security experts who were monitoring the activities of the Necurs botnet were wondering what had happened to the Locky campaign and botnet. The operators of the botnet had been enhancing the malicious potency of the ransomware.
The new Locky had more tricks up its sleeve to bypass detection by anti malware programs that had sandboxing feature. A new loader had been added that targeted virtual machines wherein the realistic processor timestamp counter values were not maintained effectively. The Locky malware observes the CPU cycles taken for executing specific APIs. When compared to the normal environment, typical Windows functions take more cycles to execute in a virtual environment. This helps the malware detect the virtualization environment and hence detects the sandboxing environment and behaves like a legitimate file.
In the coming days, cyber security experts foresee escalated attacks of Locky ransomware and Dridex banking malware with wider spread of the sophisticated Necurs botnet. Every day, Necurs is believed to be pushing out approximately 100 million malicious email messages. Cyber security experts are working towards finding out ways to analyze and detect the malware through sandbox and other techniques.
The complex Necurs botnet demonstrates the importance of effective sandboxes. Not all sandboxing technologies are the same. Further, the analyzing technology implemented in the sandboxes plays an important role in malware detection. Effective protection depends on the efficacy of the default-deny technology, along with auto-sandboxing, host intrusion prevention systems and real-time malware scanning in any information security environment.Tweet