[Aug 17, 2018]
A new Necurs botnet campaign targets thousands of banks with a malicious file dropping the FlawedAmmyy remote-access Trojan.
The Necurs botnet has resurfaced in a new phishing campaign targeting banks with malicious Microsoft Publisher and PDF files packed with the Trojan.
Cofense researchers first detected the campaign early on August 15 and have confirmed 3,071 banking domains have been hit so far. Recipients range from small regional banks to some of the world’s largest financial institutions.
The payload FlawedAmmyy, which is malware based on leaked source code for Ammyy Admin. It gives an attacker with full remote control of a compromised host, which can lead to file and credential theft and enable lateral movement within target organizations.
Cyber Security Tips:
Bank Employees are advised to:
- Never click on any links provided in the emails.
- Always log on to a any website by typing the proper URL in the address bar.
- Immediately change your passwords if you have accidentally revealed your credentials to anyone.
- Before providing your user id and password, ensure that the URL of the login page starts with the text ‘https://‘ and is not ‘http://’.
- Ensure that you have installed the latest anti-virus/anti spyware/activated firewall/security patches on your computer or even your smart phones.
- Banks should make sure their perimeter security is in good shape and their email gateways are updated.