PUB File That Drops Ammyy Targeted 2,700 Banks

A campaign that began weeks ago and targeted approximately 2,700 Fortune 100 banking institutions in the US and around the world with a widespread botnet attack came to a sudden halt as of 15:37 EST on 15 August, according to researchers at Cofense. The phishing emails appeared to be coming from India and contained the subject lines “Request BOI” or “Payment Advice.” Malware analysts had been tracking the Necurs botnet for the last several months and observed the highly targeted phishing campaign as an attempt to go after the financial sector for the first time. The threat actors were reportedly attempting to get a foothold on the banks’ infrastructure and set the stage for potential further attacks. First observed in 2012 and famed for sending Locky a few years ago, Necurs rootkit couples multiple Domain Generation Algorithms (DGAs) with. bit domain names and P2P communications. After studying the increased botnet campaigns over the last several weeks, researchers found that all of the recipients were employed at banks. In addition, researchers noted a new file extension .pub, which belongs to Microsoft Publisher, attached to the phishing campaigns.