Necurs botnet in new phishing attack on banks

Short lived campaign delivered FlawedAmmyy remote access Trojan via .pub and PDF files

A Necurs botnet has been used to launch a campaign of targeted phishing emails aimed at breaching the cyber defences of a number banks.

Security vendor Cofense said the short-lived phishing campaign began on August 15 and targeted more than 2,700 bank domains. However, after a few hours the attacks abruptly ceased

Necurs is rootkit malware used to link together infected machines to create a highly resilient botnet that can then then used to distribute malware or launch other types of attack.

Botnets created using Necurs have been around since 2012 and are responsible for a constant stream of spam emails. However, new botnets pop up periodically, such as the one used to distribute the Locky And Dridex ransomware strains in 2016.

Last year Computing reported that the Necurs malware had been modified to harvest data from infected devices in a new operational twist.

In the latest short-lived attack, targeted phishing emails were sent to banking employees, most carrying a file with the .pub extension. This extension is used by Microsoft Publisher.

"Like Word and Excel, Publisher has the ability to embed macros. So just when you are feeling confident about a layered defence protecting you from malicious Word docs, Necurs adapts and throws you a curveball," Cofense said on its website.

However, not all of the emails carried .pub files. Some delivered infected PDF files instead.

The infected files featured macros which on opening caused malwere to be downloaded to the victim's machine from a remote server. This then started a process which ultimately delivered the FlawedAmmyy remote access Trojan.

"FlawedAmmyy is based on the leaked source code for Ammyy Admin," said Cofense. "This tool provides full remote control of the compromised host leading to file and credential theft as well as serving as a beachhead for any further lateral movement within the organisation."

The emails themselves were made to appear as if they were coming from an internal employee in India and had subject lines such as "Payment Advice" or "Request BOI".

It is not known why the campaign was so short-lived.

Earlier this week, in an attack that was presumably unrelated attack, ATM hackers stole $13.5m in 28 countries from India's Cosmos Bank. That attack has been blamed on North Korea, whereas the Necurs campaign has the hallmarks of organised crime, according to Cofense.