Jan Sirmer & Adolf Středa, Avast software s.r.o

Monitoring botnets is a crucial component of cybersecurity, but it’s not everyday we see a botnet spreading scripts with bot capabilities. At the end of April 2018, while monitoring one of the branches of the Necurs botnet, we observed new scripts being distributed by the botnet.

In our presentation we will dive into the results of our analysis of scripts with bot capabilities, spread by a botnet. The analyzed scripts were spread by the Necurs botnet through spam
emails, and while the initial infection chain was rather short, the multiple stages thereafter included capabilities to make it a fully fledged botnet.

The distribution of the these scripts is an interesting step out from the standard behavior of the Necurs botnet, and we will therefore share information about the Necurs’ branch we are
monitoring, the changes it underwent in a year, and detailed analysis of the script bot itself. As the code involved in the infection chain was not heavily obfuscated, the analysis will be
interlaced with code examples.

Our analysis provides detailed information about the function and behavior of the scripts, the origin of the information and a comparison of the scripts’ versions over time. After we explore
the scripts’ whereabouts, we will again dive more deeply into the Ammyy-like malware infection chain.