Necurs botnet found delivering the FlawedAmmy RAT to global financial institutions

• The Necurs campaign targeted bank employees with emails that appear to come from an Indian sender.
• The threat actors also impersonated the South African Capitec Bank to send spam emails.

A new attack campaign relying on Necurs botnet, target the banking industry, has been discovered. The botnet was found using one of the Microsoft's lesser-known publication application named Microsoft Publisher (.pub) file attachments to deliver the FlawedAmmy remote access trojan - a data-stealing malware - at thousands of banks around the world.

The phishing campaign was first observed by researchers on August 15, 2018, and so far it has infected over 3,701 bank domains, security researchers at Cofense discovered.

"The banks range from small regional banks all the way up to the largest financial institutions in the world," stated the researchers in a blog post.

Necurs campaign

The Necurs campaign targeted bank employees with emails that appear to come from an Indian sender with a subject line that reads:"Request BOI" or "Payment Advice <random alpha numeric>”.

“The other eyebrow-raising moment is when it was observed that all of the recipients worked for banks. There were no free mail providers in this campaign, signaling clear intent by the attackers to infiltrate banks specifically” Cofense researchers noted.

The spam emails contain a malicious macro embedded within a .pub extension. When executed, the macro gets enabled, thus allowing attackers to carry out their malicious activities.

Cofense researchers noted that a similar kind of attack campaign was conducted on August 21. In this particular campaign, the threat actors impersonated the South African Capitec Bank to send spam emails. The attackers used PDF files instead of .pub files to trick bank employees into clicking on malicious links.

“It appears that they may have found some success with PUB files as they have switched from including IQY files in PDF’s as seen in a campaign from Aug 10th. That particular campaign did not have the banking focus that we are seeing today and may have been a test run to validate the efficacy of utilizing the PDF dropper” said the researchers.

While the researchers continue to monitor for further development of Necurs botnet’s activities, they suggest that users be vigilant in identifying suspicious emails.

“It appears the Necurs botnet has its sights set on the banking industry now after some initial testing done earlier this month. While the methods used are not entirely unique, the constant development and fine-tuning of their attacks show a concerted effort to reach the end goal of compromising banks. End users across all institutions, especially financial, must remain vigilant in identifying suspicious emails and reporting them to their security teams for further analysis and attack disruption” the researchers added.