Necurs Campaign Targets Banks
21.8.18 securityweek Virus
A recently observed spam campaign powered by the infamous Necurs botnet has been specifically targeting banks with the FlawedAmmyy RAT, security researchers warn.
First observed in 2012, the Necurs botnet is best known for the massive Locky ransomware campaigns that it powered in 2016 and 2017. Considered the largest spam botnet in the world, Necurs was sending tens of millions of emails daily at the end of last year.
The botnet has managed to remain active by employing multiple Domain Generation Algorithms (DGA’s) and a peer-to-peer communication protocol, along with .bit domain names, Cofense’s researchers report. Over the past weeks, it has also shown an increase in activity, the security firm notes.
Last week, Necurs started sending spam emails that appeared highly targeted at the banking industry, and Cofense says that over 3,700 bank domains were targeted as recipients.
“There were no free mail providers in this campaign, signaling clear intent by the attackers to infiltrate banks specifically. […] The banks range from small regional banks all the way up to the largest financial institutions in the world,” the security firm reveals.
The main purpose of the attack was to infect recipients with the FlawedAmmyy remote access Trojan (RAT), a payload that Necurs has been delivering a few months ago.
Supposedly based on Ammyy Admin RAT’s leaked code, FlawedAmmyy can provide attackers with full control over the compromised systems. The malware can be leveraged to execute commands on the infected machine, enable remote desktop sessions, launch a file manager, view screen, and more.
The highly targeted campaign revealed yet another step in the constant evolution of Necurs: the use of .pub attachments (Microsoft Office Publisher files) to bypass security protections.
Similar to other Office applications, Microsoft Publisher supports macros, and the actor behind this campaign embedded a malicious macro in the .pub file delivered by the spam messages. The macro was designed to access a URL and execute a downloaded file.
A subset of the spam emails in this campaign, Cofense says, employed weaponized PDF files instead. These were identical to those observed in June to leverage .iqy files for malware delivery.
Compared to other attacks fueled by Necurs, this campaign was small, Trustwave points out. The security firm also confirms that all of the targeted addresses were domains belonging to banks, clearly indicating a “desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT.”