UPDATE: Necurs Botnet Banks on a Second Bite of the Apple with New Malware Delivery Method

Share Now


Last week, Cofense™ research uncovered and broke the news that the Necurs botnet began a highly-targeted campaign aggressively attacking more than 3,000+ banks worldwide with a malicious PUB file that drops the FlawedAmmyy malware. You can read the full analysis in last week’s research blog.

As of Aug 21, 9am EST, the Necurs botnet began another banking specific campaign. For this run, the actors who spoofed the sender appear to come from the South African Capitec Bank. This is in line with other recent campaigns where the sender is likely to be viewed as legitimate to the recipients. By building this trust, the attackers are hoping to lower the defenses of the end user and get them to open up the attachment.


Upon opening the PDF file, some included javascript would attempt to open an embedded file from the pdf.

The file that it attempts to automatically open is one that we’ve seen recently. The PUB file format was sent as an attachment last week in another banking specific campaign. It appears that they may have found some success with PUB files as they have switched from including IQY files in PDF’s as seen in a campaign from Aug 10th. That particular campaign did not have the banking focus that we are seeing today and may have been a test run to validate the efficacy of utilizing the PDF dropper. Once the PUB file is automatically opened, the target would be greeted by the typical encouragement banner to enable macros.

The macro embedded within the publisher file is very similar to the one from the previous campaign.


The macro reads the value from UserForm1.Frame1.Tag and performs a GET request to what is found in there.

This chain of events is identical to the previous campaign. At the time of discovery, there were very few anti-virus detections for all components related to this.

It appears the Necurs botnet has its sights set on the banking industry now after some initial testing done earlier this month. While the methods used are not entirely unique, the constant development and fine-tuning of their attacks shows a concerted effort to reach the end goal of compromising banks.  End users across all institutions, especially financial, must remain vigilant in identifying suspicious emails and reporting them to their security teams for further analysis and attack disruption.

Upon discovery of the campaign this morning, the Cofense IntelligenceTM team created a new rule for Cofense TriageTM, our phishing response platform, to detect this attack. Along with other Cofense rules, this addition makes it possible for Cofense Triage customers to immediately identify the attack in progress. Customers of Cofense PhishMeTM, our phishing awareness and simulation solution, will also have this campaign template included for future conditioning of end-users to build resiliency against this attack.

Cofense research will continue monitoring for further developments.

Don’t ever miss out on another threat – sign up for complimentary Threat Alerts from Cofense, delivered straight to your inbox at no cost.


PDF Filename: payment_notification.pdf

PDF SHA256: 48fc65553900710b69bb9428e9320d3235402b71360999bf5e840ef07964130b

PUB Filename: 20082018.pub

PUB SHA256: 2f9b8b804cbee6a7c58263e757c9f3a01dc7098231b763acd51c8e7938e31d6d

Cotton.exe SHA256:


Email Subject: Payment Notification

Download URL: hxxp://f67icom/con


Cofense Intel Rule Name: PM_Intel_AmmyyAdmin_12799

C2 185[.]99[.]132[.]12


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on wpml.org as a development site.