Old botnet learning new tricks, like taking desktop screenshots

Researchers are warning that the group behind Necurs, one of the most venerable malware spamming operations, has added functions to its toolkit to gain new insight into its victims.

Necurs is a botnet, a vast network of hacked computers used in this case to email malware to new victims. The malware includes TrickBot, which is designed to steal banking credentials, and Locky, a form of ransomware.

{mosads}

Researchers at Symantec announced Tuesday that in addition to its recent updates to Locky and TrickBot, the Necurs group added some updates to the program used to download Locky and TrickBot onto new systems.

Downloaders usually try to fly under the radar and operate as quickly and covertly as possible. The new updates add a screenshot function and error reporting to the mix. 

“When you consider the screen grab functionality together with the new error-reporting capability, it suggests that the Necurs attackers are actively trying to gather operational intelligence about the performance of their campaigns,” Symantec wrote in a blog post.

“After all, you can’t count on the victims to report back errors and issues!” Symantec added later.