Necurs Botnet Campaign Targets Banks with Malware .Pub Files

The Necurs botnet is being used in a new attack campaign concentrating banks worldwide. The latest security reports indicate that the attackers utilize .PUB files which are Microsoft Publisher documents. Read our article to learn more about the incidents.

Necurs Botnet Uses .Pub Files To Infiltrate Banks

We have received a security report of a new global infection campaign utilizing the Necurs botnet. The large-scale attacks are against banks and banking users bearing advanced infiltration tactics. So far we have information on the global attack that happened on August 15 (yesterday). It is expected that Necurs might be used in future attacks when the criminals have assessed how much damage they have done during the initial outbreak.

Necurs is especially suited for this type of attacks as it uses Domain Generation Algorithms (DGA’s) and direct peer-to-peer connections which makes it very hard to block by network administrators. As such it has been used to spread the majority of Locky ransomware attacks and Trojans like Dridex.

The latest technique used by criminals involves phishing email messages that involve sending out .PUB (Microsoft Publisher) files. The reports indicate a typical message layout, the recipients will receive emails from addresses of Indian origin. The subjects can include strings such as “Request BOI”, “Payment Advice”, “Contracts” in combination with random alphanumeric characters. If the victim users open the infected files a series of malicious macros will be activated which downloads a malware from a remote site. In some case a notification prompt can be spawned, users are advised not to interact with scripts received through such means.

Once the macros are started the behavior pattern will begin by dropping a file to the folder where the document is saved and an archive software is also delivered. Via the established connection archive a password-protected archive (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | authored by Martin Beltov. Read the original post at: