According to the researchers BitSight’s Anubis Labs who are monitoring the Necurs botnet, the malware was modified in September to include a module that implements DDoS capabilities and new proxy command-and-control communication features.
The Necurs Botnet is one of the world’s largest malicious architectures, used to spread the dreaded threats, that vanished since June 1.
When it was first spotted earlier 2015, the experts classified the malicious infrastructure as a high-complex and efficient, “a masterpiece of criminality.”
On October 2015, an international joint effort of law enforcement agencies, including the FBI and the NCA, destroyed the botnet, but it resurrected after and was used to mainly spread the Locky ransomware. Experts called it Necurs and confirmed it was the world’s largest botnet.
“Necurs is a modular malware that can be used for many different purposes. What’s new with the sample we found is the addition of a module that adds SOCKS/HTTP proxy and DDoS capabilities to this malware,” explained Tiago Pereira, threat intel researcher with Anubis Labs.
About six months ago, Pereira and his team discovered that besides the usual port 80 communications, a system compromised by the Necurs malware was communicating with a set of IPs through a different port using a different protocol.
The researchers reverse-engineered the malware and discovered what appeared to be a simple SOCKS/HTTP proxy module for communications between the bot and the command-and-control server.
“As we looked at the commands the bot would accept from the C2, we realized that there was an additional command, that would cause the bot to start making HTTP or UDP requests to an arbitrary target in an endless loop, in a way that could only be explained as a DDoS attack,” continues the analysis published by Pereira.
The researchers have no proof that the threat actors in the wild have used the Necurs botnet in DDoS attacks.
“Please notice that we have not seen Necurs being used for DDOS attacks, we simply saw that it has that capability in one of the modules that it has been loading.” reads Pereira.
The bots were used by operators as proxies (HTTP, SOCKSv4 and SOCKSv5 protocols) relaying connections through them in “direct proxy” and “proxy backconnect” modes.
“As a response to the beacon, there are also three types of messages (or commands) sent by the C2 to the bot, that can be distinguished by the msgtype byte in the header:”
The researcher highlighted that a malicious architecture having the size of the Necurs botnet could be very dangerous because could generate a huge volume of traffic.
“The HTTP attack works by starting 16 threads that perform an endless loop of HTTP requests… The UDP flood attack works by repeatedly sending a random payload with size between 128 and 1024 bytes,” reads the report.
(Security Affairs – DDoS, Necurs botnet)