Criminals exclusively target bank staff credentials with RAT-laced Microsoft Publisher email attachments

  • Liam Tung (CSO Online)
  • 21 August, 2018 04:09

Cybercriminals have chosen one of Microsoft’s lesser known Office document creation apps Publisher (.pub) as the vehicle for distributing password stealing malware intended for employees at thousands of banks around the world. 

The phishing campaign was aimed exclusively at banking employees and included the domains of 3,701 banks, according to security firm Cofense. Every single email it caught was intended for banking employees. 

“There were no free mail providers in this campaign, signaling clear intent by the attackers to infiltrate banks specifically,” Cofense researchers noted

Publisher isn’t as widely known as Excel, PowerPoint or Word, and so may have a greater chance of reaching recipients if the organization’s spam filter doesn’t pick up attachments with the .pub extension. Additionally, Office 365’s built-in email inspection rules don’t have default support for inspecting documents with the .pub extension, compared to Word where .docm, .docx are supported by default. 

Researchers at security firm Trustwave who also spotted the wave of Publisher spam said it was “very unusual” for malware spammers to use Publisher to deliver malware. 

However, Publisher is useful because like Excel and Word, it supports macros, one of the more popular ways of delivering malware from a remote server after victims open the attachment. The technique is old but has resurfaced recently as attackers learned that some employees will click on suspicious email and attachments, no matter how much security awareness training they've received.  

Besides the use of Publisher, the campaign employs fairly standard tricks to dupe recipients into opening the attachment and following prompts to Enable Macros. 

The subject header includes the text “Payment  Advice DHS158700155”, and if the recipient opens bogus remittance advice and enables macros, it will use a Visual Basics script to reach a URL to download a malicious executable file. 

That file, a self-extracting archive, contains a remote access tool (RAT) known as FlawedAmmyy, a backdoor that gives the attacker stealth control over the computer. 

The malicious spam campaign itself appears to come from the Necurs botnet, which historically has been known to be used to distribute ransomware to such as Locky, and the Dridex banking malware. However, those spam campaigns were typically targeted at the masses rather than specifically banking employees. 

“Unlike previous mass campaigns, this campaign was small and, interestingly, all of the To: addresses we saw targeted were domains belonging to banks, indicating a desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT,” Trustwave researchers said.      

FlawedAmmy meanwhile has popped up on malware researchers’ radars this year though has been around since 2016, often relying on bogus invoices to trick recipients into opening malicious archive files. FlawedAmmy is based on leaked source code of the remote desktop control app, Ammy Admin. 

Researchers at Proofpoint spotted FlawedAmmy in March being spread in zipped email attachments, noting the RAT had been used in mass campaigns as well as highly targeted credential-theft campaigns aimed at specific industries. 

The discovery of the FlawedAmmy phishing attack on banks came as the FBI reportedly warned the financial sector that cybercriminals were preparing for a global “ATM cashout” event, which typically follow successful malware or phishing attacks on banks or payment processing providers.