Necurs Botnet Pounces on Banks Via Targeted Phishing Campaign

The Necurs network-of-bots recently re-emerged within one fresh phishing campaign aiming attacks on banks via the use of malevolent PDF and Microsoft Publisher documents containing a RAT (remote access trojan) named FlawedAmmyy. According to Cofense security firm, the phishing scam, which started August 15th, lasted for a brief period even as it attacked over 3,071 banking sites. The entities targeted vary from small-scale local banking institutions to certain biggest financial institutions of the world. Nonetheless, with the passage of some hours the assaults suddenly stopped.

A kind of rootkit malware, Necurs' earliest discovery was during 2012 when it was utilized for interconnecting contaminated PCs so the botnet thus created was highly resilient which could subsequently be utilized for spreading malicious software alternatively executing other kinds of assaults.

The Necurs botnets have been behind an uninterrupted flow of spam mails. Nevertheless, fresh networks-of-bots emerge from time to time such as those which spread the Dridex as well as Locky ransom software samples during 2016. Currently, Necurs is re-emerging with newer techniques within experiments with various ruses for testing the most efficacious ones.

The most recent assault dispatched personalized phishing electronic mails to bank employees, generally containing one .pub file name wherein the extension indicates Microsoft Publisher. This file carried malicious macros just like Excel or Word documents feature macros. Yet, not each and every Necurs' spam mail contained .pub files. A few had only contaminated PDF files.

There were macros inside the contaminated files that upon viewing downloaded malicious software onto the host computers obtainable from some distant C&C system. The process subsequently led to the delivery of FlawedAmmyy.

Cofense explains that FlawedAmmyy got created from Ammyy Admin's exposed source code. The tool enables the attacker with complete remote hold over the infected PC thereby helping in stealing credentials and sensitive files while also working like beachhead whenever there is additional lateral movement inside the affected institution.

The electronic mails looked like they were messages that certain internal staff member sent within India, while exhibited captions namely "Request BOI" else "Payment Advice."

Meanwhile, nothing is yet clear about the reason for short-lived nature of the attack.

» SPAMfighter News - 8/30/2018