17th August, 2018
1 Min read
Book a Demo
A new Necurs botnet campaign targets thousands of banks with a malicious file dropping the FlawedAmmyy remote-access Trojan.
Reduce your AWS costs by over 50%
Discover your Cloud Saving Potential – Answer just 5 simple questions. AppsFlyer, Playtika, Lufthansa, IBM, top leading companies are already using our FinOps services.
The Necurs botnet has resurfaced in a new phishing campaign targeting banks with malicious Microsoft Publisher and PDF files packed with the FlawedAmmyy remote-access Trojan.
Cofense researchers first detected the campaign early on August 15 and have confirmed 3,071 banking domains have been hit so far. Recipients range from small regional banks to some of the world’s largest financial institutions.
Necurs, a rootkit first discovered in 2012, became famous in 2016 when it was spotted delivering large volumes of Dridex and Locky ransomware. Now it’s resurfacing with new tactics as threat actors experiment with different strategies to see which are most effective.
This campaign differed from Necurs’ usual strategy in several ways. For starters, it wasn’t your traditional spam — this was a phishing campaign specifically geared toward the banking industry, using malicious attachments to deliver a payload designed to enable remote access. It also leveraged Microsoft Publisher files, a shift from typical Word and Excel documents. A small subset of this campaign used PDF files, which shows the attackers are trying different tactics.
Read more: Dark Reading
Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.