Old botnet learning new tricks, like taking desktop screenshots
The group behind Necurs, one of the most venerable malware spamming operations, has added functions to its toolkit to gain new insight into its victims, according to a report released Tuesday.
Necurs is a botnet, a vast network of hacked computers used in this case to bulk email malware to new victims. The malware includes TrickBot, which is designed to steal banking credentials, and Locky, a form of ransomware.
Researchers at Symantec announced Tuesday that in addition to its recent updates to Locky and TrickBot, the Necurs group added some curious updates to the program used to download Locky and TrickBot onto new systems.
Downloaders usually try to fly under the radar and operate as quickly and covertly as possible. The new updates add a screenshot function and error reporting to the mix.
"When consider the screen grab functionality together with the new error-reporting capability, it suggests that the Necurs attackers are actively trying to gather operational intelligence (OPINTEL) about the performance of their campaigns," Symantec wrote in a blog post.
"After all, can’t count on the victims to report back errors and issues!" Symantec added later.
