A new Necurs botnet campaign targets thousands of banks with a malicious file dropping the FlawedAmmyy remote-access Trojan.
The Necurs botnet has resurfaced in a new phishing campaign targeting banks with malicious Microsoft Publisher and PDF files packed with the FlawedAmmyy remote-access Trojan.
Cofense researchers first detected the campaign early on August 15 and have confirmed 3,071 banking domains have been hit so far. Recipients range from small regional banks to some of the world’s largest financial institutions.
Necurs, a rootkit first discovered in 2012, became famous in 2016 when it was spotted delivering large volumes of Dridex and Locky ransomware. Now it’s resurfacing with new tactics as threat actors experiment with different strategies to see which are most effective.
This campaign differed from Necurs’ usual strategy in several ways. For starters, it wasn’t your traditional spam — this was a phishing campaign specifically geared toward the banking industry, using malicious attachments to deliver a payload designed to enable remote access. It also leveraged Microsoft Publisher files, a shift from typical Word and Excel documents. A small subset of this campaign used PDF files, which shows the attackers are trying different tactics.
Read more: Dark Reading