CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Necurs Campaign Targets Banks

A recently observed spam campaign powered by the infamous

A recently observed spam campaign powered by the infamous Necurs botnet has been specifically targeting banks with the FlawedAmmyy RAT, security researchers warn.

First observed in 2012, the Necurs botnet is best known for the massive Locky ransomware campaigns that it powered in 2016 and 2017. Considered the largest spam botnet in the world, Necurs was sending tens of millions of emails daily at the end of last year.

The botnet has managed to remain active by employing multiple Domain Generation Algorithms (DGA’s) and a peer-to-peer communication protocol, along with .bit domain names, Cofense’s researchers report. Over the past weeks, it has also shown an increase in activity, the security firm notes.

Last week, Necurs started sending spam emails that appeared highly targeted at the banking industry, and Cofense says that over 3,700 bank domains were targeted as recipients.

“There were no free mail providers in this campaign, signaling clear intent by the attackers to infiltrate banks specifically. […] The banks range from small regional banks all the way up to the largest financial institutions in the world,” the security firm reveals.

The main purpose of the attack was to infect recipients with the FlawedAmmyy remote access Trojan (RAT), a payload that Necurs has been delivering a few months ago.

Supposedly based on Ammyy Admin RAT’s leaked code, FlawedAmmyy can provide attackers with full control over the compromised systems. The malware can be leveraged to execute commands on the infected machine, enable remote desktop sessions, l
aunch a file manager, view screen, and more.

The highly targeted campaign revealed yet another step in the constant evolution of Necurs: the use of .pub attachments (Microsoft Office Publisher files) to bypass security protections.

Advertisement. Scroll to continue reading.

Similar to other Office applications, Microsoft Publisher supports macros, and the actor behind this campaign embedded a malicious macro in the .pub file delivered by the spam messages. The macro was designed to access a URL and execute a downloaded file.

A subset of the spam emails in this campaign, Cofense says, employed weaponized PDF files instead. These were identical to those observed in June to leverage .iqy files for malware delivery.

Compared to other attacks fueled by Necurs, this campaign was small, Trustwave points out. The security firm also confirms that all of the targeted addresses were domains belonging to banks, clearly indicating a “desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT.”

Related: Necurs Botnet to Erupt This Month?

Related: Necurs Botnet Fuels Massive Year-End Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights