Category Archives: Necurs

A week in security (April 30 – May 6)

Last week on Labs, we examined the Spartacus ransomware, reported about a new tactic used by the Necurs malspam campaign, informed you about the recommended Twitter password change, and discussed engaging students to start considering careers in cybersecurity.

Other news

  • NTML credentials can be stolen via malicious Portable Document Format (PDF) files without any user interaction. (Source: SecurityWeek)
  • Twitter sold data access to a Cambridge Analytica-linked researcher. (Source: Bloomberg)
  • FacexWorm targets cryptocurrency users by spreading through Facebook Messenger. (Source: Security Affairs)
  • New DNS encryption tools accelerate privacy online. (Source: HelpNetSecurity)
  • IoT security: Is cryptocurrency-mining malware your next big headache? (Source: ZDNet)
  • Companies from across the tech spectrum are lining up to protest the measure that would allow them to “hack back” with offensive initiatives in the face of a cyberattack. (Source: ThreatPost)
  • Drive-by Rowhammer attack uses GPU to compromise Android phone. (Source: ArsTechnica)
  • The systems that control water and power plants are shockingly vulnerable to hackers. (Source: Gizmodo)
  • Facebook’s dating service is a chance to meet the catfisher, advertiser, or scammer of your dreams. (Source: Washington Post)
  • Roskomnadzor, Russia’s telecommunications watchdog, blocks 50 VPNs and Proxy Services providing access to Telegram. (Source: BleepingComputer)
  • Cat burglar: Kitty cryptominer targets web application servers, then spreads to app users. (Source: SCMagazine)

Stay safe, everyone!

The post A week in security (April 30 – May 6) appeared first on Malwarebytes Labs.

Internet Shortcut used in Necurs malspam campaign

The Necurs botnet continues to be one of the most prolific malicious spam distributors, with regular waves of carefully-crafted attachments that are used to download malware.

The majority of malspam campaigns that we track are targeting Microsoft Office with documents containing either macros or exploits. We also see a number of other types of malicious attachments that are zipped scripts (.VBS, .JS, etc)—essentially downloaders for the final payload.

In a new technique recently uncovered, Necurs is changing things up a little bit by avoiding the aforementioned formats and using a different file type instead, crafting malicious .URL files (Internet Shortcut).

This attack relies on the file:// protocol to load and execute a remote script from a samba (SMB) share. This is noteworthy because typically the attachment is used as a downloader, but instead here we see one additional step that pushes this function one degree further thanks to the .url shortcut.

By not placing the malicious script directly within the attachment, attackers are also preventing the automated collection and sandbox analysis that usually takes place within spam traps.

An obfuscated view of the WSF script can be seen in the screenshot below:

The final payload is eventually downloaded from a remote server:

This is an interesting attack designed to bypass traditional security measures and administrative policies that may block the well-known Office macros.

Malwarebytes users are already protected against this technique.

Malware authors are constantly looking for new evasion techniques as long as they generate good success rates. Social engineering attacks have relied upon the same lures for some time, but every now and again we see a slight variation in a technique that was perhaps known, but not yet leveraged by criminals.

The post Internet Shortcut used in Necurs malspam campaign appeared first on Malwarebytes Labs.