Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

// // //

Necurs Malware Wants a Selfie With Your Desktop

Necurs has returned and this time it's carrying a payload that takes a picture of your desktop.

It's time to check your spam-blockers again because Necurs is back in town. This time it's bringing a new ransomware payload and a way to check on your defenses.

Necurs is one of the more notorious botnets out there, but it's been relatively quiet for several months. Now, though, it's back with a vengeance and it has some new arrows in its quiver of bad news. The first arrow is a downloader that takes screen-grabs of an infected desktop to see whether anti-malware efforts are underway.

Researchers from Symantec note that this intelligence-gathering effort is notable because it goes against the trend of most malware-delivery systems. In most cases, the delivery software plants a malicious payload on the receiving system then disappers as quickly as possible. Stealth is the operating model. In this case, though, the attackers have decided it's worth the risk of being discovered to gain intelligence on what victims might be doing to try to rid themselves of the problem.

The problem can be severe in this case, since the most common payload in the new wave of attacks is ransomware called Locky or an additional malware downloader called Trickybot.

In almost all cases, Necurs is coming copmliments of an attached file with instructions like "Print Me" or "Invoice Attached." Up-to-date malware detection systems should recognize the malware, so it's important for companies to keep systems updated and remind employees that opening attachments that are unexpected or from unknown senders is almost never a good idea.

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-37041
PUBLISHED: 2022-08-12
An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. The value of the X-Forwarded-Host header overwrites the value of the Host header in proxied requests. The value of X-Forwarded-Host header is not checked against the whitelist of ho...
CVE-2022-37042
PUBLISHED: 2022-08-12
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execu...
CVE-2022-37043
PUBLISHED: 2022-08-12
An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to b...
CVE-2022-37044
PUBLISHED: 2022-08-12
In Zimbra Collaboration Suite (ZCS) 8.8.15, the URL at /h/search?action accepts parameters called extra, title, and onload that are partially sanitised and lead to reflected XSS that allows executing arbitrary JavaScript on the victim's machine.
CVE-2022-37423
PUBLISHED: 2022-08-12
Neo4j APOC (Awesome Procedures on Cypher) before 4.3.0.7 and 4.x before 4.4.0.8 allows Directory Traversal to sibling directories via apoc.log.stream.