{
	"id": "84a00937-999e-4665-91c3-7de3f61c625e",
	"created_at": "2026-04-06T00:12:22.980547Z",
	"updated_at": "2026-04-10T03:28:35.448297Z",
	"deleted_at": null,
	"sha1_hash": "3fb915d7779742ff4eea68e0e9a934cdbadcbaaa",
	"title": "Necurs Evades Detection via Internet Shortcut File",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61695,
	"plain_text": "Necurs Evades Detection via Internet Shortcut File\r\nBy By: Miguel Carlo Ang Apr 26, 2018 Read time: 3 min (942 words)\r\nPublished: 2018-04-26 · Archived: 2026-04-05 13:20:11 UTC\r\nNecurs, a botnet malware that’s been around since 2012, has been improved with the hopes of better defeating\r\ncybersecurity measures — it was seen to evolve its second layer of infection using a .URL file (with remote script\r\ndownloaders detected by Trend Micro as MAL_CERBER-JS03D, MAL_NEMUCOD-JS21B,\r\nVBS_SCARAB.SMJS02, and MAL_SCARAB-VBS30.\r\nNecurs, a modular malware with variants that are capable of spam distribution, information theft, and disabling\r\nsecurity services and elements, has been around since 2012, propagating in the wild via the Necurs botnet. In\r\n2017, it pushed Locky — a ransomware family with one variant that was notable for being distributed via 23\r\nmillion emails in just 24 hoursnews- cybercrime-and-digital-threats — via a URL-only spam email campaign. \r\nLast year, we also saw how Necurs pushed double-zipped attachments that either contained JavaScript, Visual\r\nBasic scripts, or macro files with the capability to download its final payload. In an attempt to evade spam\r\ndetection through its attachments, Necurs used archives that included .ZIP files to disguise the script downloader,\r\nwhich was later enclosed in another .ZIP to hide itself.\r\nThe Necurs Transformation: The .URL File Layer\r\nNecurs is indeed constantly evolving to find other effective measures of tricking victims while defeating\r\ncountermeasures waged against it.  And since it has a highly effective botnet component that may also be sold as a\r\nservice, malicious actors will continue to find ways to circumvent detection and improve how they trick the\r\nweakest link in cybersecurity — the user. As security vendors are wise to Necurs’s traditional infection chain (a\r\nscript, a macro, or archives containing certain file formats), the malware has started using an internet shortcut or\r\n.URL file to bypass detection.\r\nintel\r\nFigure 1.  A diagram of a previous version of the Necurs malware\r\nintel\r\nFigure 2.  A diagram of the evolved Necurs malware\r\nInternet shortcuts, or .URLs, take the form of clickable icons and are objects used to access internet sites or web\r\ndocuments faster.  Internet shortcuts have contents that are in the INI file format, which allows the changing of\r\nicons. Necurs malware uses this to its advantage by changing the folder icon to trick the victim into thinking that\r\nit’s a different file type, as it is less suspicious than clicking on a script. The .URL will then access the remote\r\nresource that downloads another downloader. The second downloader remotely executes the payload.\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/\r\nPage 1 of 3\n\nFigure 3. A .URL file disguised as a .ZIP file of a voicemail message\r\nNotice that aside from the icons disguised as folders, the filenames were also crafted to resemble typical folder\r\nnames such as IMG-20180404-9AC4DD, SCN-20180404-268CC1, and PIC-20180404-ADEEEE shown in Figure\r\n2, to name a few.\r\nintel\r\nFigure 4. A screen capture of an internet shortcut’s extracted files\r\nFurthermore, the actual attachment archive does not contain the script downloader Necurs uses to download its\r\npayload. The .URL file accesses the remote server, which then executes through the Server Message Block (SMB)\r\nprotocol — a tactic that may be successful in evading certain spam filters.\r\nintel\r\nFigure 5. A screen capture of a remote file being accessed through the SMB protocol\r\nThe malware doesn’t stop at disguising .URL files. The latest Necurs variant no longer has the actual script\r\ndownloader in its attachment. It only contains the internet shortcut to the remote site that contains the script that is\r\nthen executed remotely. This means that it does not “download” the actual script on the victim’s machine. This is\r\nthe closest it gets to its previous malicious spam runs: Attaching a URL in the email and tricking a victim into\r\nclicking on the link to download a malicious file.\r\nintel\r\nFigure 6. A look at Necurs’s attachment\r\nInterestingly, Necurs does not infect computers using Russian as a language.\r\nFurther Evolution: Using QUANTLOADER\r\nPreviously, Necurs’s JavaScript downloader downloads the final payload. But in its latest iteration, the remote\r\nscript downloads QUANTLOADER (detected by Trend Micro as TROJ_QUANT) – a different downloader –\r\nwhich then downloads the final payload. This is another layer added to Necurs’s infection chain. The use of\r\nQUANTLOADER may be twofold: First, it adds another download stage before it downloads the final payload,\r\npossibly to mix things up and evade behavioral detections. Secondly, QUANTLOADER is persistent in nature —\r\nit drops a copy of itself and creates an autorun registry so that it executes at startup.\r\nIndicators of Compromise\r\nSHA-256s Detection Names\r\n03c770882e87585fea0272a8e6a7b7e37085e193475884b1316e14fb193e992d TROJ_QUANT.K\r\nb0c173e0fc28e0f1bc8debfe49de01f306d372a0516d88201b87e441f3de303e TROJ_QUANT.J\r\nb87e0dd9b0e032c6d2d5f0bf46f00243a2a866bf1d3d22f8b72737b4aa1148eb TROJ_QUANT.L\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/\r\nPage 2 of 3\n\n00ca7e9e61a3ceaa4b9250866aface8af63e5ae71435d4fd6c770a8c9a167f22 TROJ_QUANT.K\r\nTrend Micro Solutions\r\nTo protect against Necurs and other continuously evolving spammed threats, businesses can take advantage of\r\nTrend Micro™ endpoint solutions such as Trend Microproducts Smart Protection Suitesproducts and Worry-Free™ Business Security. Both solutions can protect users and businesses from threats by detecting malicious\r\nfiles, and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep\r\nDiscovery™products has an email inspection layer that can protect enterprises by detecting malicious attachment\r\nand URLs. Deep Discovery is able to detect the remote script despite it not being downloaded in the physical\r\nendpoint.\r\nTrend Micro™ Email Securityproducts is a no-maintenance cloud solution that delivers continuously updated\r\nprotection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach\r\nthe network. It protects Microsoft Exchange, Microsoft Office 365products, Google Apps, and other hosted and\r\non-premises email solutions. The spam mail used by this threat is detected on arrival by Trend Micro™ Email\r\nReputation Services™, while our spam engine can detect Necurs’s technique: an archive containing internet\r\nshortcut.\r\nTrend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other\r\ndetection technologies and global threat intelligence for comprehensive protection against advanced malware.\r\nA list of all the hashes (SHA-256) is in this appendix.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/"
	],
	"report_names": [
		"necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file"
	],
	"threat_actors": [
		{
			"id": "9099912b-a00a-4afb-8294-c6d35af421a1",
			"created_at": "2023-01-06T13:46:39.338108Z",
			"updated_at": "2026-04-10T02:00:03.292102Z",
			"deleted_at": null,
			"main_name": "Scarab",
			"aliases": [],
			"source_name": "MISPGALAXY:Scarab",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e7d03ac8-7d6f-4ea0-83a9-10dff2ea1486",
			"created_at": "2022-10-25T16:07:24.158325Z",
			"updated_at": "2026-04-10T02:00:04.884772Z",
			"deleted_at": null,
			"main_name": "Scarab",
			"aliases": [
				"UAC-0026"
			],
			"source_name": "ETDA:Scarab",
			"tools": [
				"Scieron"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434342,
	"ts_updated_at": 1775791715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3fb915d7779742ff4eea68e0e9a934cdbadcbaaa.pdf",
		"text": "https://archive.orkl.eu/3fb915d7779742ff4eea68e0e9a934cdbadcbaaa.txt",
		"img": "https://archive.orkl.eu/3fb915d7779742ff4eea68e0e9a934cdbadcbaaa.jpg"
	}
}