Six years after it was first spotted in the wild, the Necurs malware botnet is still out to prove that it’s a malware chameleon. We recently discovered noteworthy changes to the way Necurs makes use of its bots, such as pushing infostealers on them and showing a special interest in bots with specific characteristics. These behavioral changes could potentially create a big impact as Necurs has been used in large-scale cybercriminal deployments in the past.
As a modularized malware, Necurs can run any module on its network of bots. In 2017, we saw Necurs pushing spamming and proxy modules onto its bots. This year, however, there’s a notable decrease on Necurs’ spam volume compared to its spam campaigns in the last quarter of 2017. Instead, we see Necurs pushing cryptocurrency miners and infostealers — FlawedAmmyy RAT, AZORult, and a .NET module — as modules onto its bots.
[...]
The New Face of Necurs: Noteworthy Changes to Necurs’ Behaviors - TrendLabs Security Intelligence Blog
