New versions of malware spread by the Necurs botnet has been found to have a disturbing new twist: Along with making traditional infections, the software is now taking screenshots and gathering data from infected personal computers and sending it back to a command-and-control server.

Spotted by researchers at Symantec Corp., the Necurs botnet, which is believed to include an army of 5 million infected devices, has been found spreading copies of known malware types, including the Locky ransomware and Trickybot trojan bundled with a new downloader that can “gather telemetry from victims.”

“It can take screen grabs and send them back to a remote server,” the researchers said in a post Tuesday. “There’s also an error-reporting capability that will send back details of any errors that the downloader encounters when it tries to carry out its activities.”

The malware, spread via email campaigns uses social engineering to target users with fake invoices. Once the malicious attachment is clicked on, a JavaScript file is downloaded through an embedded iframe, which then downloads either Locky to Trickybot along with the telemetry gathering feature.

Why those behind the spread of these forms of malware would want this data is where the story gets interesting. The researchers suggest that the attackers are actively trying to gather operational intelligence about the performance of their campaigns. “Much like crash reports in OSes can help software companies fix issues and build better products, these error reports can help attackers spot problems in the field and address them to improve success rates,” they note.

Explaining what the new methodology means for enterprise users, Anoop Bhattacharjya, chief scientist at cloud security firm Bitglass Inc., told SiliconANGLE that the “malicious data collection by the Necurs botnet will accelerate the evolution of attack sophistication.” Given that implication, Bhattacharjya said, organizations should use machine learning, improved email filtering, malicious URL detection and thorough employee training.

Balbix Inc. founder and Chief Executive Officer Gaurav Banga noted that the new campaign “illustrates how cybersecurity has become a sophisticated, no-rules ‘marketplace’ for the adversary.” Concurring with Bhattacharjya, he added that “for cyberdefenders, this highlights the need to observe and analyze information and data about their users, assets and applications, better and faster than the adversary.”

Photo: christiaancolen/Flickr