The Necurs botnet has been linked to a new campaign launched against financial institutions in order to spread Remote Access Trojans (RATs).

According to Cofense, the campaign started on August 15. Spam messages were sent en masse to 2,700 banks.

However, what makes this campaign interesting is that all targets were bank employees, which suggests a level of spear phishing.

“There were no free mail providers in this campaign, signaling clear intent by the attackers to infiltrate banks specifically,” Cofense says.

The Necurs botnet, known internally by Proofpoint as TA505, is one of the largest spam generators in existence.

The short-lived campaign launched by the botnet abruptly stopped roughly eight hours after being discovered.

The spam emails in this campaign are basic and appear to be coming from India. The message titles are simple, too, as they include either “Request BOI” or “Payment Advice” with a random number attached.

However, the malicious payload is far from simple.

CNET: Australia’s biggest bank lost records for 20 million accounts

As a break outside the norm for the botnet, there is the addition of weaponized Microsoft Publisher files which are attached to the fraudulent emails. The .PUB files contain embedded macros which, once downloaded and opened, then grabs a payload from a remote host. A smaller number of targets were issued malicious .PDF file attachments.

See also: ‘Hacky hack hack’: Teen arrested for breaking into Apple’s network

“Like Word and Excel, Publisher has the ability to embed macros,”…