Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Necurs Campaign Targets Banks

A recently observed spam campaign powered by the infamous

A recently observed spam campaign powered by the infamous Necurs botnet has been specifically targeting banks with the FlawedAmmyy RAT, security researchers warn.

First observed in 2012, the Necurs botnet is best known for the massive Locky ransomware campaigns that it powered in 2016 and 2017. Considered the largest spam botnet in the world, Necurs was sending tens of millions of emails daily at the end of last year.

The botnet has managed to remain active by employing multiple Domain Generation Algorithms (DGA’s) and a peer-to-peer communication protocol, along with .bit domain names, Cofense’s researchers report. Over the past weeks, it has also shown an increase in activity, the security firm notes.

Last week, Necurs started sending spam emails that appeared highly targeted at the banking industry, and Cofense says that over 3,700 bank domains were targeted as recipients.

“There were no free mail providers in this campaign, signaling clear intent by the attackers to infiltrate banks specifically. […] The banks range from small regional banks all the way up to the largest financial institutions in the world,” the security firm reveals.

The main purpose of the attack was to infect recipients with the FlawedAmmyy remote access Trojan (RAT), a payload that Necurs has been delivering a few months ago.

Supposedly based on Ammyy Admin RAT’s leaked code, FlawedAmmyy can provide attackers with full control over the compromised systems. The malware can be leveraged to execute commands on the infected machine, enable remote desktop sessions, l
aunch a file manager, view screen, and more.

The highly targeted campaign revealed yet another step in the constant evolution of Necurs: the use of .pub attachments (Microsoft Office Publisher files) to bypass security protections.

Similar to other Office applications, Microsoft Publisher supports macros, and the actor behind this campaign embedded a malicious macro in the .pub file delivered by the spam messages. The macro was designed to access a URL and execute a downloaded file.

A subset of the spam emails in this campaign, Cofense says, employed weaponized PDF files instead. These were identical to those observed in June to leverage .iqy files for malware delivery.

Compared to other attacks fueled by Necurs, this campaign was small, Trustwave points out. The security firm also confirms that all of the targeted addresses were domains belonging to banks, clearly indicating a “desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT.”

Related: Necurs Botnet to Erupt This Month?

Related: Necurs Botnet Fuels Massive Year-End Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...