The Necurs botnet, which had been dormant for a few weeks, began to once again distribute malware-riddled spam...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
emails. The new campaign delivers downloaders for Locky ransomware, which has anti-sandboxing and evasion techniques. What should organizations know about the Necurs botnet, and how can they prevent Locky infections from occurring?
Malware authors have to constantly update their malware to keep one step ahead of the antimalware industry. The Necurs botnet was one of the largest botnets before it went dormant. It is a peer-to-peer hybrid botnet and uses a domain generation algorithm (DGA) as part of its command-and-control (C&C) communication, along with using signed commands to ensure that only the legitimate operator of the botnet can control it.
The Necurs botnet distributes other malware and is used in distributed denial-of-service attacks. Necurs primarily distributed the Locky ransomware and the Dridex banking Trojan in its spam emails. The revived Necurs botnet sends out a new variant of the Locky ransomware with added anti-virtual machine and evasion techniques. Necurs may have gone dormant while the malware authors were updating the C&C infrastructure or waiting for a new variant of the Locky ransomware.
Enterprises should know that the Necurs botnet can be detected by monitoring for the C&C infrastructure indicated by DGA connections and looking out for spam; Proofpoint's Q3 Threat Summary report showed that a whopping 97% of malicious document attachments sent during the quarter contained Locky. Proofpoint released indicators of compromise that can be used to detect the Locky ransomware. Enterprises can prevent Locky infections from occurring by following standard guidance on protecting endpoints from malware, including antispam and antiphishing measures to prevent people from opening the malicious attachments distributing the malware.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Learn how a Locky ransomware attack uses DGA
Discover why the majority of the companies hit with ransomware do not pay
Find out how to detect the Dridex banking Trojan
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
Can Structured Threat Information eXpression improve threat intelligence sharing? Nick Lewis breaks down the evolution of the STIX security framework.continue reading
A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to ...continue reading
A new exploit of CLDAP servers can be used for a DDoS reflection attack that gives attackers a 70x boost. Nick Lewis explains how to defend against ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.