The Necurs botnet has been linked to a new campaign launched against financial institutions in order to spread Remote Access Trojans (RATs).
However, what makes this campaign interesting is that all targets were bank employees, which suggests a level of spear phishing.
“There were no free mail providers in this campaign, signaling clear intent by the attackers to infiltrate banks specifically,” Cofense says.
The Necurs botnet, known internally by Proofpoint as TA505, is one of the largest spam generators in existence.
The short-lived campaign launched by the botnet abruptly stopped roughly eight hours after being discovered.
The spam emails in this campaign are basic and appear to be coming from India. The message titles are simple, too, as they include either “Request BOI” or “Payment Advice
However, the malicious payload is far from simple.
As a break outside the norm for the botnet, there is the addition of weaponized Microsoft Publisher files which are attached to the fraudulent emails. The .PUB files contain embedded macros which, once downloaded and opened, then grabs a payload from a remote host. A smaller number of targets were issued malicious .PDF file attachments.
“Like Word and Excel, Publisher has the ability to embed macros,” Cofense says. “So just when you are feeling confident about a layered defense protecting you from malicious Word docs, Necurs adapts and throws you a curveball.”
The malware payload is the FlawedAmmyy RAT. FlawedAmmyy is based on the leaked source code of the legitimate Ammyy Admin remote desktop control software.
The Trojan is able to seize control of an infected machine’s host, providing remote access to a threat actor, as well as stealing sensitive data. Researchers say the malware can also serve as a “beachhead for any further lateral movement within the organization.”
Necurs was first spotted in 2012 and hit the spotlight several years ago after threat actors harnessed the botnet to spread the Dridex banking Trojan and Locky ransomware. The researchers do not know who is behind the campaign, or why the attack was so short-lived.
At the same time, researchers from Proofpoint say the botnet is also being used to distribute a new strain of malware. Dubbed Marap, the payload dropper is able to steal system information and receive additional modules for further infection from C&C servers.
The targets in the latest campaign ranged from small banks to some of the largest and most well-known financial institutions. While the assault has stopped, for now, there are no guarantees banks will not soon again be targeted.