{
	"id": "4d841051-f8bd-4579-a61a-2dfb3326510c",
	"created_at": "2026-04-06T00:13:03.054938Z",
	"updated_at": "2026-04-10T03:37:08.733073Z",
	"deleted_at": null,
	"sha1_hash": "90026d85b3ee84d938ff90f505b1b937d2404588",
	"title": "New Noteworthy Changes to Necurs’ Behaviors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79222,
	"plain_text": "New Noteworthy Changes to Necurs’ Behaviors\r\nBy Anita Hsieh, Rubio Wu, Kawabata Kohei, Fyodor Yarochkin ( words)\r\nPublished: 2018-06-28 · Archived: 2026-04-05 21:39:48 UTC\r\nAssets Filter Enter path Images Select Tag(s) Publish status Loading results NEW NOTEWORTHY CHANGES\r\nTO NECURS’ BEHAVIORSEditPreview Text\r\nSix years after it was first spotted in the wild, the Necurs malware botnet is still out to prove that it’s a malware\r\nchameleon.  We recently discovered noteworthy changes to the way Necurs makes use of its bots, such as pushing\r\ninfostealers on them and showing a special interest in bots with specific characteristics. These behavioral changes\r\ncould potentially create a big impact as Necurs has been used in large-scale cybercriminal deployments in the past.\r\nAs a modularized malware, Necurs can run any module on its network of bots. In 2017, we saw Necurs pushing\r\nspamming and proxy modules onto its bots. This year, however, there’s a notable decrease on Necurs’ spam\r\nvolume compared to its spam campaigns in the last quarter of 2017.  Instead, we see Necurs pushing\r\ncryptocurrency miners and infostealers — FlawedAmmyy RAT, AZORult, and a .NET module — as modules onto\r\nits bots.  \r\nNecurs pushes XMRig to its bots to mine Monero\r\nIn March, we saw Necurs pushing a Monero Miner — XMRig — to its bots.  At the time we checked it, the wallet\r\nowner was able to earn around $USD 1,200.00 in 24 hours.\r\nintel\r\nFigure 1. A screen capture showing the wallet owner's earnings using the XMRig to mine Monero. The user in the\r\nconfiguration of this XMRig module is “47CCqA1ERkT6jUT8yhgJj7dkdHXhBw86\r\nxiKsCdZ6auDmCC3mAQLpBxP2nhpGuHA27tToNeZM98Tz FKe6vjCajdHdCz67iRB.worker” .\r\nIn April, we observed that it pushed the remote access trojan FlawedAmmyy onto its bots. FlawedAmmyy is\r\ntrojanized from a legitimate remote access tool Ammyy Admin. Like the remote desktop tool, FlawedAmmyy has\r\nthe functionalities of Ammyy Admin, including remote desktop control, file system management, proxy support\r\nand audio chat capabilities. Necurs pushes different modules via C\u0026C commands. These modules check the bots\r\nif they qualify for any of the following criteria:\r\n1. Bots that are with crypto wallets.[1] The Necurs modules check if the machines have files that contain any of\r\nthe following strings that exist under “%APPDATA%” such as:\r\nWALLET.DAT\r\nBITCOIN-QT\r\nELECTRUM\r\nCOINBASE\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors\r\nPage 1 of 5\n\nMULTIBITHD\r\nWALLET.AES\r\nLITECOIN\r\nMONERO\r\nBITCOINCORE\r\n2. Bots that are under or able to reach bank-related domains.[2] The modules execute commands such as “net\r\nview” and “net user” to check for the following strings:\r\nBANQ\r\nBANK\r\nBANC\r\nSWIFT\r\nBITCOIN\r\nWESTERNUNION\r\nMONEYGRAM\r\nCARD\r\n3. Bots that are running in a network with more than 100 employees or users.[3] The modules execute “net\r\nuser” and “net domain” to see if a machine is connected to a network with more than 100 users.\r\n4. Bots that run POS-related processes.[4]\r\n5. Bots that are logged in using an email address on a hardcoded list.[5] The modules, which contain some\r\nhardcoded lists, will check whether the email accounts associated with a machine is on the list. We will detail this\r\npart in the section “Necurs Pushes Modules for Email Extraction” below.\r\nIf the bots qualify based on the criteria listed above, the modules will install the FlawedAmmyy RAT onto its bots.\r\nAfter the session initializes, the FlawedAmmyy RAT on the infected bots steals and sends back the information,\r\nwhich includes:\r\nid\r\nos\r\npriv (privilege)\r\ncred (DOMAIN\\username)\r\npcname (Computer name)\r\navname (Antivirus name)\r\nbuild_time (Malware build time)\r\ncard (whether smart-card is connected or not)\r\nintelFigure 2. The information sent back by FlawedAmmyy RAT.\r\nNecurs pushes modules for email extraction\r\nIn late May, we saw some Necurs modules that exfiltrated email accounts and sent them to\r\nhxxp://185[.]176[.]221[.]24/l/s[.]php. If someone installs and logs in to Outlook, Outlook creates a directory\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors\r\nPage 2 of 5\n\n“%AppData%\\Roaming\\Microsoft\\Outlook\\” wherein it will store credentials with an email string in the filename\r\n(Figure 3). The module will search for the files with email strings in the filenames and send those strings back.\r\nintel\r\nFigure 3. Example: the directory storing credentials with a string in email format as part of the filename\r\n After just a few days, we saw four new modules that also dropped FlawedAmmyy RATs but with a distinct\r\nfeature — they contained hardcoded email lists inside. The four modules checked if the email addresses on the\r\nbots were in any of the lists — the same manner in which they were able to extract the email addresses that make\r\nup the lists — and if so, dropped the FlawedAmmyy RATs.\r\nAfter checking the hardcoded email lists, we discovered that it’s possible that the threat actors used keyword\r\nmatching to pick up email addresses that interest them.\r\nintelFigure 4. A list of email addresses that feature notable similarities. Aside from bank-related email\r\naddresses, some of the email addresses on the list seem to belong to government institutions.  \r\nAfter further analysis, we extracted the different keywords used in the email address lists. Based on the keywords,\r\nthreat actors appear to show interest in governments, financial institutions, tourism and food industries, and real\r\nestate companies.\r\nintel\r\nFigure 5. Keywords extracted from the email address lists in the four Necurs modules.\r\n A possible change in spamming tactics\r\nAnother notable action of Necurs is the possible change in its spamming tactics.\r\nOn June 11, 2018, we saw Necurs push a .NET spamming module that is capable of sending emails and stealing\r\ncredentials from Internet Explorer, Chrome, and Firefox. Some parts of this .NET spamming module overlap with\r\nan open-source remote access tool.\r\nintelFigure 6. The Firefox StealerModule in the .NET spamming module on the left-hand side has overlaps\r\nwith QuasarRAT on the right-hand side.  \r\nWhen Necurs drops the .NET spamming module onto its bots, it gives the arguments that the bots should execute\r\nthe binary. The following is a screen capture of the command we received from Necurs’ C\u0026Cs:  \r\nintel\r\nFigure 7. A .NET module command screen capture.\r\nThe .NET spamming module (sha1: c25fcdf464202ef4226d085b8e495f4e5064125e) performs different actions\r\naccording to the arguments given (“args” in Figure 7). The following are some arguments it accepts:\r\n“-sendcorp”: send the emails via victims’ Outlook\r\n“-sendprivate”: send emails via victims’ Gmail and Yahoo\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors\r\nPage 3 of 5\n\n“-subject”: the subject for the email\r\n“-attach”: the attachment for the email in base64 format\r\n“-name”: the “FROM” address for the email\r\n“-body”: the body for the email in base64 format\r\n“-demo”: send a copy to the given email address\r\n \r\nThe mail sent with the arguments in Figure 7 will be as follows:  \r\nintel\r\nFigure 8. The email sent by .NET spamming module with the arguments in Figure 7.\r\nThe following are some of the .NET module’s noteworthy features: it can send spam using the logged-in email\r\naccounts on a victim’s machine, and it can access a victim’s contact list stored in email clients and the email\r\naddresses with which a victim has previously corresponded. The victims will not be able to notice the spam being\r\nsent from their email addresses as the .NET module can delete the last email sent from the victim’s email account\r\nand catch all alerts.\r\nIn the past, Necurs sent spam to its victims directly via its bots, which allowed blacklisting bot IPs to block them.\r\nHowever, if the spam emails are sent via legitimate email clients with whitelisted IPs, the IP-blocking solution\r\nmight not work properly. Moreover, those spam emails are from email accounts that the receivers already\r\nrecognize. Although this technique is not new — some malware campaigns such as EMOTET and\r\nUrsnif/Dreambot have already adopted this kind of spamming technique — this is a new technique for Necurs.\r\nWith the “demo” argument set, we believe that this module is a test run for possible future campaigns and a way\r\nfor the malware author to demonstrate the .NET module’s capabilities to possible customers.  \r\nDefending against Necurs malware\r\nTo defend against Necurs and other continuously evolving spammed threats, businesses can take advantage of\r\nTrend Micro™ endpoint solutions such as Trend Microproducts Smart Protection Suitesproducts and Worry-Freeworry free services suites™ Business Securityworry free services suites. Both solutions can protect users and\r\nbusinesses from threats by detecting malicious files, and spammed messages as well as blocking all related\r\nmalicious URLs. Trend Microproducts Deep Discoveryproducts™ has an email inspection layer that can protect\r\nenterprises by detecting malicious attachment and URLs. Deep Discovery can detect the remote script despite it\r\nnot being downloaded in the physical endpoint.\r\nTrend Microproducts™ Hosted Email Securityproducts is a no-maintenance cloud solution that delivers\r\ncontinuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted\r\nattacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365products, Google\r\nApps, and other hosted and on-premises email solutions.\r\nTrend Microproducts™ OfficeScanproducts™ with XGen™ endpoint security infuses high-fidelity machine\r\nlearning with other detection technologies and global threat intelligence for comprehensive protection against\r\nadvanced malware.   A list of all the hashes (SHA256) is in this listopen on a new tab.  \r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors\r\nPage 4 of 5\n\n[1] List of strings gathered as of April 11, 2018. [2] First detected on April 11, 2018. [3] First detected on April 18,\r\n2018. [4] First detected on April 26, 2018. [5] First detected on June 1, 2018.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors"
	],
	"report_names": [
		"the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors"
	],
	"threat_actors": [
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad",
			"created_at": "2022-10-25T16:07:23.590051Z",
			"updated_at": "2026-04-10T02:00:04.679488Z",
			"deleted_at": null,
			"main_name": "Energetic Bear",
			"aliases": [
				"ATK 6",
				"Blue Kraken",
				"Crouching Yeti",
				"Dragonfly",
				"Electrum",
				"Energetic Bear",
				"G0035",
				"Ghost Blizzard",
				"Group 24",
				"ITG15",
				"Iron Liberty",
				"Koala Team",
				"TG-4192"
			],
			"source_name": "ETDA:Energetic Bear",
			"tools": [
				"Backdoor.Oldrea",
				"CRASHOVERRIDE",
				"Commix",
				"CrackMapExec",
				"CrashOverride",
				"Dirsearch",
				"Dorshel",
				"Fertger",
				"Fuerboos",
				"Goodor",
				"Havex",
				"Havex RAT",
				"Hello EK",
				"Heriplor",
				"Impacket",
				"Industroyer",
				"Karagany",
				"Karagny",
				"LightsOut 2.0",
				"LightsOut EK",
				"Listrix",
				"Oldrea",
				"PEACEPIPE",
				"PHPMailer",
				"PsExec",
				"SMBTrap",
				"Subbrute",
				"Sublist3r",
				"Sysmain",
				"Trojan.Karagany",
				"WSO",
				"Webshell by Orb",
				"Win32/Industroyer",
				"Wpscan",
				"nmap",
				"sqlmap",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434383,
	"ts_updated_at": 1775792228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/90026d85b3ee84d938ff90f505b1b937d2404588.pdf",
		"text": "https://archive.orkl.eu/90026d85b3ee84d938ff90f505b1b937d2404588.txt",
		"img": "https://archive.orkl.eu/90026d85b3ee84d938ff90f505b1b937d2404588.jpg"
	}
}