Necurs Botnet Launches Campaign Against Banks

The Necurs botnet has been observed pushing an unusual malware campaign that almost exclusively targets users and employees within the financial sector.

Necurs is one of the largest and longest-lived botnet that’s still in operation today. Over the years it has been used to distribute various types of malware programs, including the Dridex banking trojan and the Locky ransomware, via mass email spam campaigns.

Researchers from anti-phishing firm Cofense detected that between Aug. 15 and Aug. 18, Necurs launched a malware campaign that targeted email addresses on 3,701 bank domains.

“There were no free mail providers in this campaign, signaling clear intent by the attackers to infiltrate banks specifically,” the researchers warned in a blog post.

Unlike Necurs’ previous spam campaigns, this one distributed malicious files with the .PUB extension, a file type associated with Microsoft Publisher. Like .DOC and .XLS files, .PUB files can also contain embedded macros and can be used to trick users into executing malicious payloads.

A small subset of emails in this campaign also carried malicious .PDF files instead of .PUB, but in both cases the payload was a remote access Trojan called FlawedAmmyy that’s based on the leaked source code of the legitimate Ammyy Admin remote desktop software.

If allowed to execute, the macros in the rogue documents drop and execute an encrypted 7z archive. The archive then drops a file called that gets renamed to winksys.exe and is executed. The subjects of the rogue emails were fairly simple and included “Request BOI” or “Payment Advice [random_string].”

“The banks range from small regional banks all the way up to the largest financial institutions in the world,” the Cofense researchers said. “We have not yet determined the actor(s) behind this specific campaign or the final goal.”

The Necurs operators rent their botnet to other cybercriminals, who then use it to distribute for their own spam and malware campaigns. Therefore, the group behind this attack against banks is likely not related to Necurs itself.

In recent years, a large number of cybercriminal groups have switched from targeting bank customers via online banking trojans to targeting financial institutions directly. Sophisticated groups such as Carbanak are known for breaking into financial institutions and spending months identifying critical systems and learning internal procedures before stealing millions in one quick attack.

Invoices Spam Wave Pushes Ransomware and Trojan Combo

A new wave of spam emails that mimic invoices is being used to infect computers with the AZORult information-stealing Trojan and the Hermes 2.1 ransomware, Bleeping Computer reports citing security researcher Yves Agostini.

The rogue emails have a subject of “Invoice Due” and contain an attachment called invoice.doc. The emails inform recipients that they have an outstanding payment that should be settled in a matter of days.

The documents are password-protected with a password that’s provided in the email body and, once opened, they display instructions for users to click the “Enable Content” button in Word. Falling for this trick will enable the execution of malicious macros and the installation of the malware payload.

The AZORult Trojan has been known for a while and it’s capable of stealing passwords for bank accounts, email accounts and other online applications. The Trojan has been used together with ransomware in the past, most recently by a group that researchers from Salesforce call Oktropys.

The Hermes ransomware encrypts files without changing their extensions, so the only warning to users is a file called DECRYPT_INFORMATION.html that’s placed on the computer’s desktop when the operation is complete.

Giving the invoice-themed lure of the new campaign, the intended targets are most likely businesses. Companies should train their employees not to open documents received via email from companies they don’t recognize and never to enable the execution of active content such as macros in Microsoft Word, as this is one of the most common ways of infecting computers with malware.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin