Necurs botnet abuses Microsoft Publisher file format to deliver FlawedAmmyy RAT to bank employees
A pair of Necurs botnet-fueled phishing campaigns were found targeting the banking industry this month, using Microsoft Publisher (.pub) file attachments to drop the FlawedAmmyyremote access trojan.
Discovered by researchers at Cofense, the first campaign commenced on Aug. 15, delivering malspam to more than 2,700 bank domains. Bank employees were targeted with emails that appeared to be from an Indian sender, with subject lines such as "Request BOI" (BOI could be interpreted as Bank of India) and "Payment Advice," followed by random alphanumeric numbers. "The banks range from small regional banks all the way up to the largest financial institutions in the world," stated researchers Jason Meurer and Darrell Rendell, in a Cofense blog post.
According to Cofense, the phishing emails used .pub files as attachments because, like Word and Excel files, they can embed macros, which attackers can abuse to infect potential victims, providing users are deceived into enabling the macros. (A small subset of emails from the original attack used weaponized PDFs instead of .pub files.) Cofense noted that the actors "may have found some success" using the PUB files, after having switched from their previous tactic of using .iqy files (Excel internet query files) in PDFs.
The payload, FlawedAmmyy, is a derivative of Ammyy Admin remote desktop software, and can be used to fully compromise and hijack an infected host, as well as steal credentials.
"It appears the Necurs botnet has its sights set on the banking industry now after some initial testing done earlier this month," concluded Meurer in the more recent blog post. "While the methods used are not entirely unique, the constant development and fine-tuning of their attacks shows a concerted effort to reach the end goal of compromising bank
Phishing campaign reveals new Marap downloader malware, possibly distributed by Necurs botnet
NecursResearchers have linked a newly discovered downloader malware to the botnet, after it was observed in a large Aug. 10 email-based phishing campaign, targeting mostly financial organizations .The malware, named Marap, is capable of downloading additional modules and payloads in order to give attackers a wide range of capabilities. The emails leveraged a number of different malicious attachment types, including Excel Web Query (.iqy) files, password-protected ZIP archives containing iqy files, PDF documents with embedded iqy files, and Microsoft Word documents with macros, the blog post reported.
Source / Reference : https://www.scmagazine.com/necurs-botnet-abuses-microsoft-publisher-file-format-to-deliver-flawedammyy-rat-to-bank-employees/article/790859/