Aug 15, 2018

Massive botnet suddenly shifts focus to hacking banks

Image: iStock via Getty Images

The vaunted Necurs botnet — a network of millions of hacked computers that do the bidding of criminals — suddenly shifted its focus this morning: Normally it sends consumers spam email pushing pharmaceuticals and penny stocks, but now it's conducting a more targeted phishing campaign to hack into bank networks, according to new research by Cofense.

Why it matters: Necurs is one of the largest spamming operations in the world, representing 60% of spam sent from botnets. That's a large operation to pivot — and almost certainly not one to change focus without some major goal in mind.

What happened? Cofense infects its own computers with botnet malware to keep tabs on what the botnets are doing. "Until yesterday, we were seeing subjects like '67% off pills.' This morning at 7 am, it entirely changed to subjects like 'Payment advice,' said Aaron Higbee, chief technology officer at Cofense.

  • Necurs had been sending emails to any address it could get its hands on. Now the emails were targeted to specific employees of 2700 different banks.
  • Cofense checked the LinkedIn pages of some of the would be victims that its computers received commands to target, and found that the emails appeared to be based on current rosters of bank employees.
  • The phishing emails contained a Microsoft Publisher file laced with malicious code using a technique known as a macro. Usually, macros are used with Excel and Word files. "In all our time doing this, we've never seen a '.pub' [publisher] file used this way before," Higbee said.
  • The .pub file installs remote access software known as "FlawedAmmyy" that would give hackers a foothold on bank networks.

The background: Last week, the FBI warned banks that a criminal group was planning to commit widespread ATM fraud this week, and to be on the lookout for hackers trying to manipulate bank accounts.

  • Cofense could not find a connection among the targeted banks based on size or location.

Necurs has existed since at least 2012. It is primarily known for spam, but has been used for other types of malware before, too — most famously with the "Dridex" program that stole users' bank-account credentials.

Go deeper