INFRA
INFRA
INFRA
Necurs botnet malware now grabs screenshots and data from infected PCs
New versions of malware spread by the Necurs botnet has been found to have a disturbing new twist: Along with making traditional infections, the software is now taking screenshots and gathering data from infected personal computers and sending it back to a command-and-control server.
Spotted by researchers at Symantec Corp., the Necurs botnet, which is believed to include an army of 5 million infected devices, has been found spreading copies of known malware types, including the Locky ransomware and Trickybot trojan bundled with a new downloader that can “gather telemetry from victims.”
“It can take screen grabs and send them back to a remote server,” the researchers said in a post Tuesday. “There’s also an error-reporting capability that will send back details of any errors that the downloader encounters when it tries to carry out its activities.”
The malware, spread via email campaigns uses social engineering to target users with fake invoices. Once the malicious attachment is clicked on, a JavaScript file is downloaded through an embedded iframe, which then downloads either Locky to Trickybot along with the telemetry gathering feature.
Why those behind the spread of these forms of malware would want this data is where the story gets interesting. The researchers suggest that the attackers are actively trying to gather operational intelligence about the performance of their campaigns. “Much like crash reports in OSes can help software companies fix issues and build better products, these error reports can help attackers spot problems in the field and address them to improve success rates,” they note.
Explaining what the new methodology means for enterprise users, Anoop Bhattacharjya, chief scientist at cloud security firm Bitglass Inc., told SiliconANGLE that the “malicious data collection by the Necurs botnet will accelerate the evolution of attack sophistication.” Given that implication, Bhattacharjya said, organizations should use machine learning, improved email filtering, malicious URL detection and thorough employee training.
Balbix Inc. founder and Chief Executive Officer Gaurav Banga noted that the new campaign “illustrates how cybersecurity has become a sophisticated, no-rules ‘marketplace’ for the adversary.” Concurring with Bhattacharjya, he added that “for cyberdefenders, this highlights the need to observe and analyze information and data about their users, assets and applications, better and faster than the adversary.”
Photo: christiaancolen/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
