Image: iStock via Getty Images

The vaunted Necurs botnet — a network of millions of hacked computers that do the bidding of criminals — suddenly shifted its focus this morning: Normally it sends consumers spam email pushing pharmaceuticals and penny stocks, but now it's conducting a more targeted phishing campaign to hack into bank networks, according to new research by Cofense.

Why it matters: Necurs is one of the largest spamming operations in the world, representing 60% of spam sent from botnets. That's a large operation to pivot — and almost certainly not one to change focus without some major goal in mind.

What happened? Cofense infects its own computers with botnet malware to keep tabs on what the botnets are doing. "Until yesterday, we were seeing subjects like '67% off pills.' This morning at 7 am, it entirely changed to subjects like 'Payment advice,' said Aaron Higbee, chief technology officer at Cofense.

  • Necurs had been sending emails to any address it could get its hands on. Now the emails were targeted to specific employees of 2700 different banks.
  • Cofense checked the LinkedIn pages of some of the would be victims that its computers received commands to target, and found that the emails appeared to be based on current rosters of bank employees.
  • The phishing emails contained a Microsoft Publisher file laced with malicious code using a technique known as a macro. Usually, macros are used with Excel and Word files. "In all our time doing this, we've never seen a '.pub' [publisher] file used this way before," Higbee said.
  • The .pub file installs remote access software known as "FlawedAmmyy" that would give hackers a foothold on bank networks.

The background: Last week, the FBI warned banks that a criminal group was planning to commit widespread ATM fraud this week, and to be on the lookout for hackers trying to manipulate bank accounts.

  • Cofense could not find a connection among the targeted banks based on size or location.

Necurs has existed since at least 2012. It is primarily known for spam, but has been used for other types of malware before, too — most famously with the "Dridex" program that stole users' bank-account credentials.

Go deeper

Updated 38 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 7 a.m. ET: 12,739,269 — Total deaths: 565,704 — Total recoveries — 7,021,460Map.
  2. U.S.: Total confirmed cases as of 7 a.m. ET: 3,247,782 — Total deaths: 134,815 — Total recoveries: 995,576 — Total tested: 39,553,395Map.
  3. Politics: Trump wears face mask in public for first time.
  4. Public health: Fauci hasn't briefed Trump on the coronavirus pandemic in at least two months — We're losing the war on the coronavirus.
  5. States: Louisiana governor issues face mask mandate.
  6. World: India reimposes lockdowns as coronavirus cases soar.

Biden's doctrine: Erase Trump, re-embrace the world

Photo illustration: Sarah Grillo/Axios. Photo: Bastiaan Slabbers/NurPhoto, and Bastiaan Slabbers/NurPhoto via Getty Images

Foreign policy will look drastically different if Joe Biden defeats President Trump in November, advisers tell Axios — starting with a Day One announcement that the U.S. is re-entering the Paris Climate Agreement and new global coordination of the coronavirus response.

The big picture: If Trump's presidency started the "America First" era of withdrawal from global alliances, Biden's team says his presidency would be the opposite: a re-engagement with the world and an effort to rebuild those alliances — fast.

Robert Mueller speaks out on Roger Stone commutation

Former Special Counsel Robert Mueller testifies before the House Permanent Select Committee on Intelligence on Capitol Hill on Wednesday July 24, 2019. Photo: The Washington Post / Contributor

Former special counsel Robert Mueller responded to claims from President Trump and his allies that Roger Stone was a "victim" in the Justice Department's investigation into Russian interference in the 2016 election, writing in a Washington Post op-ed published Saturday: "He remains a convicted felon, and rightly so."

Why it matters: The rare public comments by Mueller come on the heels of President Trump's move to commute the sentence of his longtime associate, who was sentenced in February to 40 months in prison for crimes stemming from the Russia investigation. The controversial decision brought an abrupt end to the possibility of Stone spending time behind bars.