The security software company Symantec recently reported that a well-known malware virus known under the name of Necurs or the Necurs downloader. So far, this particular piece of malware and the botnet that it creates have been regarded as relatively insignificant, yet the new changes and improvements that Symantec reported could potentially boost the levels of danger that this malware represents as well as its ability to spread to a greater number of PC’s.
What is the Necurs downloader and the Necurs botnet?
Before we explain to you what the improvements made to this malware are, we must first take a moment to introduce you to the actual virus and what its main purposes are.
Necurs isn’t actually a virus that is supposed to directly harm your PC. Instead, it is a downloader type of virus which means that its main goal is to acquire boot persistence on the infected machine and to load other malware into the computer’s system. For instance, Necurs has oftentimes been reported to download the Locky Ransowmare on computers that have gotten infected by it.
The second main purpose of this malware is to gain telemetry data from the attacked PCs.
As far as the Necurs botnet is concerned, this is a network that consists of machines that have already been infected by the virus and that are now used to spread it to other users. Such malware behavior is reminiscent of some Trojan Horses, especially considering the ability of the virus to load other malware onto the targeted PC.
The improvements
Every software developer seeks to make their product better, more efficient and more effective. This also applies to malware creators as well. There are two main changes that the hackers behind Necurs have recently added to their virus program as reported by Symantec.
- The first main improvement is the addition of a screenshot function to Necurs . By adding a Powershell script to virus would now allow it to take a screenshot of the user’s screen and send it to the hacker’s server a few seconds later. The researchers at Symantec presume that the purpose of this feature is to provide the hackers behind the malware with more accurate information regarding the infected machine in order to determine of it represents a valuable environment for further infection with another virus. For instance, if the attacked PC is running a professional software for office use, then there’s high chance that the computer is connected to a network with other interconnected PCs which would all be vulnerable for further infection.
- The second addition to the Necurs downloader is an error-reporting utility. This function is supposed to detect errors and bugs coming from the malware and report them to the hacker. So far, though similar features have been seen on other malware viruses, this is presumably the first downloader type of malware to have an error-reporter. As for the purposes of this feature, it is actually pretty obvious why it must have been added. As we already mentioned, even malware developers want to improve their products and make them more effective and what better way to do that than having a built-in utility inside the program that would report any issues with it. After all, malware developers cannot count on user feedback, now can they?
Increasing activity
Symantec have also reported that throughout the past couple of months an increased activity by the Necurs virus has been detected. From June to October, the activity of this malware has increased four times! Currently, this virus seems to be predominantly used for the distribution of the Locky Ransomware and of a banking Trojan Horse known as TrickBot. In addition to that, as we already said above, Necurs also gathers telemetry data from infected PCs and sends the collected information to the hackers’ servers.