Necurs Malware Will Now Take a Screenshot of Your Screen, Report Runtime Errors (and installs Locky)

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Malware families evolve on a daily basis, but some updates catch your eye more than others. Necurs has just gone through one of these "interesting" updates, according to US security firm Symantec.

Before we go on, we must explain that Necurs is a name given to both a malware strain and the botnet of infected computers it creates.

In the world of security research, the Necurs malware strain is a "downloader" or "loader," and just like similar downloaders, it only has three major functions: (1) gain boot persistence on an infected PC, (2) collect telemetry on infected hosts, and (3) download and install a second-stage payload.

The Necurs malware is distributed via spam sent by Necurs bots or hacked web servers. When you read news stories about "the Necurs botnet spreading the Locky ransomware," it's actually "the Necurs botnet spreading the Necurs downloader, which then installs the Locky ransomware."

In the world of security research, the Necurs malware strain is a "downloader" or "loader," and just like similar downloaders, it only has three major functions: (1) gain boot persistence on an infected PC, (2) collect telemetry on infected hosts, and (3) download and install a second-stage payload.

The Necurs malware is distributed via spam sent by Necurs bots or hacked web servers. When you read news stories about "the Necurs botnet spreading the Locky ransomware," it's actually "the Necurs botnet spreading the Necurs downloader, which then installs the Locky ransomware."


Necurs team looking for valuable hosts
According to Symantec, the reasons for the screenshot behavior may be that Necurs operators are looking for more clues about the computers they infect, besides the telemetry data they collect shortly after infection.
This info could allow them to detect when they infect more valuable environments, like the ones running professional office-related software, which usually mean computers on corporate networks.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top