Necurs Malware Wants a Selfie With Your Desktop

It's time to check your spam-blockers again because Necurs is back in town. This time it's bringing a new ransomware payload and a way to check on your defenses.

Necurs is one of the more notorious botnets out there, but it's been relatively quiet for several months. Now, though, it's back with a vengeance and it has some new arrows in its quiver of bad news. The first arrow is a downloader that takes screen-grabs of an infected desktop to see whether anti-malware efforts are underway.

Researchers from Symantec note that this intelligence-gathering effort is notable because it goes against the trend of most malware-delivery systems. In most cases, the delivery software plants a malicious payload on the receiving system then disappers as quickly as possible. Stealth is the operating model. In this case, though, the attackers have decided it's worth the risk of being discovered to gain intelligence on what victims might be doing to try to rid themselves of the problem.

The problem can be severe in this case, since the most common payload in the new wave of attacks is ransomware called Locky or an additional malware downloader called Trickybot.

In almost all cases, Necurs is coming copmliments of an attached file with instructions like "Print Me" or "Invoice Attached." Up-to-date malware detection systems should recognize the malware, so it's important for companies to keep systems updated and remind employees that opening attachments that are unexpected or from unknown senders is almost never a good idea.

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.