Application security, Application security, Threat Management, Malware, Phishing

Necurs botnet abuses Microsoft Publisher file format to deliver FlawedAmmyy RAT to bank employees

A pair of Necurs botnet-fueled phishing campaigns were found targeting the banking industry this month, using Microsoft Publisher (.pub) file attachments to drop the FlawedAmmyy remote access trojan.

Discovered by researchers at Cofense, the first campaign commenced on Aug. 15, delivering malspam to more than 2,700 bank domains. Bank employees were targeted with emails that appeared to be from an Indian sender, with subject lines such as "Request BOI" (BOI could be interpreted as Bank of India) and "Payment Advice," followed by random alphanumeric numbers. 

"The banks range from small regional banks all the way up to the largest financial institutions in the world," stated researchers Jason Meurer and Darrell Rendell, in a Cofense blog post.

That operation was followed up on Aug. 21 with a similar campaign featuring a sender impersonating the South African Capitec Bank, Meurer wrote in a second post.

According to Cofense, the phishing emails used .pub files as attachments because, like Word and Excel files, they can embed macros, which attackers can abuse to infect potential victims, providing users are deceived into enabling the macros. (A small subset of emails from the original attack used weaponized PDFs instead of .pub files.) Cofense noted that the actors "may have found some success" using the PUB files, after having switched from their previous tactic of using .iqy files (Excel internet query files) in PDFs.

The payload, FlawedAmmyy, is a derivative of Ammyy Admin remote desktop software, and can be used to fully compromise and hijack an infected host, as well as steal credentials.

"It appears the Necurs botnet has its sights set on the banking industry now after some initial testing done earlier this month," concluded Meurer in the more recent blog post. "While the methods used are not entirely unique, the constant development and fine-tuning of their attacks shows a concerted effort to reach the end goal of compromising banks."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.