A recently observed spam campaign powered by the infamous Necurs botnet has been specifically targeting banks with the FlawedAmmyy RAT, security researchers warn.
First observed in 2012, the Necurs botnet is best known for the massive Locky ransomware campaigns that it powered in 2016 and 2017. Considered the largest spam botnet in the world, Necurs was sending tens of millions of emails daily at the end of last year.
The botnet has managed to remain active by employing multiple Domain Generation Algorithms (DGA’s) and a peer-to-peer communication protocol, along with .bit domain names, Cofense’s researchers report. Over the past weeks, it has also shown an increase in activity, the security firm notes.
Last week, Necurs started sending spam emails that appeared highly targeted at the banking industry, and Cofense says that over 3,700 bank domains were targeted as recipients.
“There were no free mail providers in this campaign, signaling clear intent by the attackers to infiltrate banks specifically. […] The banks range from small regional banks all the way up to the largest financial institutions in the world,” the security firm reveals.
The main purpose of the attack was to infect recipients with the FlawedAmmyy remote access Trojan (RAT), a payload that Necurs has been delivering a few months ago.
Supposedly based on Ammyy Admin RAT’s leaked code, FlawedAmmyy can provide attackers with full control over the compromised systems. The malware can be leveraged to execute commands on the infected machine, enable remote desktop sessions, l
aunch a file manager, view screen, and more.
The highly targeted campaign revealed yet another step in the constant evolution of Necurs: the use of .pub attachments (Microsoft Office Publisher files) to bypass security protections.
Similar to other Office applications, Microsoft Publisher supports macros, and the actor behind this campaign embedded a malicious macro in the .pub file delivered by the spam messages. The macro was designed to access a URL and execute a downloaded file.
A subset of the spam emails in this campaign, Cofense says, employed weaponized PDF files instead. These were identical to those observed in June to leverage .iqy files for malware delivery.
Compared to other attacks fueled by Necurs, this campaign was small, Trustwave points out. The security firm also confirms that all of the targeted addresses were domains belonging to banks, clearly indicating a “desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT.”
Related: Necurs Botnet to Erupt This Month?
Related: Necurs Botnet Fuels Massive Year-End Ransomware Attacks
More from Ionut Arghire
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
Latest News
- European Police Arrest 42 After Cracking Covert App
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- Many VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
