The Necurs botnet is being used in a new attack campaign concentrating banks worldwide. The latest security reports indicate that the attackers utilize .PUB files which are Microsoft Publisher documents. Read our article to learn more about the incidents.
Necurs Botnet Uses .Pub Files To Infiltrate Banks
We have received a security report of a new global infection campaign utilizing the Necurs botnet. The large-scale attacks are against banks and banking users bearing advanced infiltration tactics. So far we have information on the global attack that happened on August 15 (yesterday). It is expected that Necurs might be used in future attacks when the criminals have assessed how much damage they have done during the initial outbreak.
Necurs is especially suited for this type of attacks as it uses Domain Generation Algorithms (DGA’s) and direct peer-to-peer connections which makes it very hard to block by network administrators. As such it has been used to spread the majority of Locky ransomware attacks and Trojans like Dridex.
The latest technique used by criminals involves phishing email messages that involve sending out .PUB (Microsoft Publisher) files. The reports indicate a typical message layout, the recipients will receive emails from addresses of Indian origin. The subjects can include strings such as “Request BOI”, “Payment Advice”, “Contracts” in combination with random alphanumeric characters. If the victim users open the infected files a series of malicious macros will be activated which downloads a malware from a remote site. In some case a notification prompt can be spawned, users are advised not to interact with scripts received through such means.
Once the macros are started the behavior pattern will begin by dropping a file to the folder where the document is saved and an archive software is also delivered. Via the established connection archive a password-protected archive is downloaded and then unzipped using a hardcoded password. The extracted files are renamed as system components and the infection will be started by them.
The end goal of the Necurs Botnet infection is to deliver a Trojan that is very similar to a previous attack that utilized .IQY files.
The Trojan used in the .PUB files attack is powerful and customized against both banks and end users. It establishes a constant secure connection between the infected host and a hacker-controlled server — this effectively allows the criminals to spy on the victims in real time, take over control of their machines and deploy other viruses.
Many custom versions include a data harvesting module which is configured to hijck two groups of information:
- Personal Information — Data collected about the users can be used to expose their identity. This is done by looking out for strings such as their name, address, phone number, location, interests and passwords.
- Campaign Metrics — Hackers are also known to extract information that can be used to optimize the attacks. Usually they consist of a report indicating the installed hardware components, user-set options and certain operating system values.
Trojans like this one are also well-known for Windows Registry changes. They can disrupt the ordinary functionality of both user-installed applications and the operating system as a whole. Some infections can be detected by indirect symptoms such as a sudden drop of system performance.
The hackers can instruct the dangerous payload to change the boot options — the threat can be set to automatically start as soon as the computer is started. It can also block access to the boot recovery menu which renders many manual user removal options.
Security analysts expect that further attack campaigns will be launched in a short period of time. To this date there is no information about the hacker or criminal group behind the ongoing attacks.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: