The Necurs botnet that made headlines last year for taking screenshots and gathering data from infected personal computers is back in the news with a new phishing campaign targeting banks.

Detailed in a blog post by security firm Cofense Inc., the campaign started Wednesday and has so far targeted 2,700 bank domains and employees who work for those banks.

The emails include Microsoft Publisher .PUB files that when clicked on execute a macro that downloads a remote access trojan from a remote host. That in turn “provides full remote control of the compromised host leading to file and credential theft as well as serving as a beachhead for any further lateral movement within the organization,” according to Cofense.

Kevin O’Brien, chief executive officer of GreatHorn Inc., told SiliconANGLE that the switch of Necurs to highly targeted phishing attacks is alarming.

“Our research shows that nearly two-thirds (63.5 percent) of non-technical employees believe they never see email threats in their corporate inboxes which makes them more likely to be a victim of these attacks now that cybercriminals are poised to increase their volume,” O’Brien said.

“The fact that Necurs is targeting the financial services industry is no mistake,” he added. “Businesses within this industry are highly regulated which gives employees’ an unrealistic perception that their corporate inbox is safe.”

The problem, he said, is that most of these organizations use legacy secure email gateways designed to operate at the perimeter using a binary good/bad model that does not work within cloud platforms. “IT and security professionals need to shift their strategies towards continuous protection models that can spot highly targeted spear phishing campaigns as well as general malware, and provides a mechanism for re-evaluating and remediating email as new threats emerge,” he said.

The news comes less than a week after the U.S. Federal Bureau of Investigation issued a warning to banks that cybercriminals are planning a global attack on financial institutions that involves hacking systems and stealing millions of dollars via automatic teller machines.

That hacking campaign involved gaining access to internal banking systems to alter ATM limits and bank account balances. Although there is no hard proof that the Necurs botnet phishing campaign targeting banks is related, it may be more than a coincidence.

Image: Cofense