Malspam Campaign Uses Microsoft Publisher Files to Attack Banks

Trustwave security experts have registered an unusual malspam campaign attacking banks with the FlawedAmmyy RAT.

What is interesting about this campaign is the use of Microsoft Office Publisher files to infect victims’ computers.

The security researchers registered a tremendous jump in the number of emails containing a Microsoft Office Publisher file (a .pub attachment) and the subject line, “Payment Advice,” which was sent to bank domains.

Despite the fact that this malspam campaign is not big at all, it is strongly focused on banks.

The distributed spam messages contain URLs which download the well-known backdoor trojan FlawedAmmyy (RAT).

According to the experts, the campaign was powered by the Necurs botnet.

“This campaign was unusual in the use of .pub files. It also appeared to originate from the Necurs botnet, a notorious botnet responsible for much mass malware distribution in the past,” the Trustwave analysis states.

“Unlike previous mass campaigns, this campaign was small and, interestingly, all of the To: addresses we saw targeted were domains belonging to banks, indicating a desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT.”

As soon as the victims open the pub file, they are asked to “Enable Macros,” earlier versions of Microsoft Publisher may display instructions to “Enable Editing” and “Enable Content”.

After manually opening the Visual Basic Editor (VBA Editor) in Microsoft Publisher and clicking “ThisDocument” in Project Explorer, the VBScript executes a weaponized archive that contains the RAT.

“The macro script is triggered with the function Document_Open(). As the name implies, when the file is opened, the script will access a URL and execute a downloaded file.” the researchers’ analysis reads.

The URL is stored in the Tag Property, and the malicious code leverages control objects in forms to hide the URL from which it downloads the RAT.

“By the time we examined the sample, the URL was not accessible anymore, but a little further research indicated this URL was used for downloading a self-extracting archive, which contained the FlawedAmmyy RAT,” the experts stated.

Last month, the Proofpoint researchers registered another huge malspam campaign distributing the FlawedAmmyy RAT that was leveraging emails with weaponized PDF documents containing malicious SettingContent-ms files.

The July campaign was attributed to the financially motivated cybercriminal group TA505.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.