A campaign that began weeks ago and targeted approximately 2,700 Fortune 100 banking institutions in the US and around the world with a widespread botnet attack came to a sudden halt as of 15:37 EST on 15 August, according to researchers at Cofense. The phishing emails appeared to be coming from India and contained the subject lines “Request BOI” or “Payment Advice.”
Malware analysts had been tracking the Necurs botnet for the last several months and observed the highly targeted phishing campaign as an attempt to go after the financial sector for the first time. The threat actors were reportedly attempting to get a foothold on the banks’ infrastructure and set the stage for potential further attacks.
First observed in 2012 and famed for sending Locky a few years ago, Necurs rootkit couples multiple Domain Generation Algorithms (DGAs) with .bit domain names and P2P communications.
After studying the increased botnet campaigns over the last several weeks, researchers found that all of the recipients were employed at banks. In addition, researchers noted a new file extension .pub, which belongs to Microsoft Publisher, attached to the phishing campaigns.
This unexpected change in file extension happened at 7:30 am on 15 August. “Like Word and Excel, Publisher has the ability to embed macros. So just when you are feeling confident about a layered defense protecting you from malicious Word docs, Necurs adapts and throws you a curve ball,” researchers wrote.
“The banks range from small regional banks all the way up to the largest financial institutions in the world. We have not yet determined the actor(s) behind this specific campaign or the final goal.”
The .pub extension contained an embedded macro that, when executed, downloaded from a remote host, resulting in the FlawedAmmyy remote access Trojan (RAT). With this final payload, the attackers gained full remote control of the compromised host, enabling both credentials theft and the potential of future lateral movement within the banking institution.