Image: iStock via Getty Images

The vaunted Necurs botnet — a network of millions of hacked computers that do the bidding of criminals — suddenly shifted its focus this morning: Normally it sends consumers spam email pushing pharmaceuticals and penny stocks, but now it's conducting a more targeted phishing campaign to hack into bank networks, according to new research by Cofense.

Why it matters: Necurs is one of the largest spamming operations in the world, representing 60% of spam sent from botnets. That's a large operation to pivot — and almost certainly not one to change focus without some major goal in mind.

What happened? Cofense infects its own computers with botnet malware to keep tabs on what the botnets are doing. "Until yesterday, we were seeing subjects like '67% off pills.' This morning at 7 am, it entirely changed to subjects like 'Payment advice,' said Aaron Higbee, chief technology officer at Cofense.

  • Necurs had been sending emails to any address it could get its hands on. Now the emails were targeted to specific employees of 2700 different banks.
  • Cofense checked the LinkedIn pages of some of the would be victims that its computers received commands to target, and found that the emails appeared to be based on current rosters of bank employees.
  • The phishing emails contained a Microsoft Publisher file laced with malicious code using a technique known as a macro. Usually, macros are used with Excel and Word files. "In all our time doing this, we've never seen a '.pub' [publisher] file used this way before," Higbee said.
  • The .pub file installs remote access software known as "FlawedAmmyy" that would give hackers a foothold on bank networks.

The background: Last week, the FBI warned banks that a criminal group was planning to commit widespread ATM fraud this week, and to be on the lookout for hackers trying to manipulate bank accounts.

  • Cofense could not find a connection among the targeted banks based on size or location.

Necurs has existed since at least 2012. It is primarily known for spam, but has been used for other types of malware before, too — most famously with the "Dridex" program that stole users' bank-account credentials.

Go deeper

Updated 2 hours ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 7 p.m. ET: 31,759,233 — Total deaths: 973,904 Total recoveries: 21,811,742Map.
  2. U.S.: Total confirmed cases as of 7 p.m. ET: 6,939,645 — Total deaths: 201,861 — Total recoveries: 2,646,959 — Total tests: 96,616,779Map.
  3. Health: CDC director says over 90% of Americans have not yet been exposed to coronavirus — Supply shortages continue to plague testing.
  4. Politics: Missouri Gov. Mike Parson tests positive for coronavirus — Poll says 51% of Republicans trust Trump on coronavirus more than the CDC.
  5. Technology: The tech solutions of 2020 may be sapping our resolve to beat the coronavirus
  6. Vaccines: Johnson & Johnson begins large phase 3 trial — The FDA plans to toughen standards.
  7. Sports: Less travel is causing the NBA to see better basketball.

Trump refuses to commit to peaceful transfer of power if he loses

President Trump repeatedly refused to say on Wednesday whether he would commit to a peaceful transition of power if he loses the election to Joe Biden, saying at a press briefing: "We're going to have to see what happens."

The big picture: Trump has baselessly claimed on a number of occasions that the only way he will lose the election is if it's "rigged," claiming — without evidence — that mail-in ballots will result in widespread fraud. Earlier on Wednesday, the president said he wants to quickly confirm a replacement for Justice Ruth Bader Ginsburg because he believes the Supreme Court may have to decide the result of the election.

"Not enough": Protesters react to no murder charges in Breonna Taylor case

A grand jury has indicted Brett Hankison, one of the Louisville police officers who entered Breonna Taylor's home in March, on three counts of wanton endangerment for firing shots blindly into neighboring apartments.

The state of play: Angering protesters, the grand jury did not indict any of the three officers involved in the botched drug raid on homicide or manslaughter charges related to the death of Taylor.

Get Axios AM in your inbox

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Subscription failed
Thank you for subscribing!