A pair of Necurs botnet-fueled phishing campaigns were found targeting the banking industry this month, using Microsoft Publisher (.pub) file attachments to drop the FlawedAmmyy remote access trojan.
Discovered by researchers at Cofense, the first campaign commenced on 15 August, delivering malspam to more than 2,700 bank domains. Bank employees were targeted with emails that appeared to be from an Indian sender, with subject lines such as "Request BOI" (BOI could be interpreted as Bank of India) and "Payment Advice," followed by random alphanumeric numbers.
"The banks range from small regional banks all the way up to the largest financial institutions in the world," stated researchers Jason Meurer and Darrell Rendell, in a Cofense blog post.
That operation was followed up on 21 August with a similar campaign featuring a sender impersonating the South African Capitec Bank, Meurer wrote in a second post.
According to Cofense, the phishing emails used .pub files as attachments because, like Word and Excel files, they can embed macros, which attackers can abuse to infect potential victims, providing users are deceived into enabling the macros. (A small subset of emails from the original attack used weaponized PDFs instead of .pub files.). Cofense noted that the actors "may have found some success" using the PUB files, after having switched from their previous tactic of using .iqy files (Excel internet query files) in PDFs.
The payload, FlawedAmmyy, is a derivative of Ammyy Admin remote desktop software, and can be used to fully compromise and hijack an infected host, as well as steal credentials.
"It appears the Necurs botnet has its sights set on the banking industry now after some initial testing done earlier this month," concluded Meurer in the more recent blog post. "While the methods used are not entirely unique, the constant development and fine-tuning of their attacks shows a concerted effort to reach the end goal of compromising banks."