This ransomware-spreading botnet will now screengrab your desktop too

New payload bundled within Necurs botnet attacks allows those carrying out malicious campaigns to check if they're working and improve updates.
Written by Danny Palmer, Senior Writer

The Necurs hackers have added the ability to snoop into their regular malware payloads.

Image: iStock

Attackers behind one of the world's most notorious botnets have added another string to their bow, allowing them to take screenshots of the desktops of victims infected with malware.

Having previously been inactive for much of the first half of the year, the Necurs botnet has recently undergone a resurgence, distributing millions of malicious emails - large swathes of which have most recently been spreading Locky ransomware.

It's also been known to deliver the Trickbot banking trojan, indicating the attackers behind it have their fingers in many pies.

But not happy with just that, wow those behind Necurs - a zombie army of over five million hacked devices - are also attaching a downloader with the functionality to gather telemetery from infected victims.

Uncovered by researchers at Symantec, the Necurs downloader can take screengrabs of infected machines and send them back to a remote server. It also contains an error-reporting feature which sends information back to the attackers on any issues the downloader encounters when performing its activities.

This functionality suggests the attackers are actively attempting to gather operational intelligence about the performance of their campaigns in much the same way legitimate software vendors collect crash reports in order to improve their products. However, in this case, the reports are designed to help the attackers spot problems and improve the chances of the malicious payload doing its job.

"After all, you can't count on the victims to report back errors and issues," note the researchers.

See also: What is phishing? How to protect yourself from scam emails and more

Like other Necurs campaigns, these attacks begin with a phishing email - this time using the lure of a phony invoice. If this attachment is opened, it'll download a JavaScript which will in turn download a Locky or Trickbot payload, depending on the particular campaign.

Once loaded onto the system, the downloader also runs a PowerShell script that takes a screen grab and saves it to a file named 'generalpd.jpg' which is saved and uploaded to a remote server for further analysis by the attackers.

The last month or so has seen Necurs more active than at any point this year, with a high focus on distributing Locky, to such an extent that it's almost reclaimed its crown as the king of ransomware.

In order to remain as protected as possible against threats distributed by the Necurs botnet, Symantec recommends security software, operating systems and other applications are always kept up to date and to be extremely suspicious of unsolicited emails - especially if they contain links or attachments.


Editorial standards