{"id":10410,"date":"2022-02-23T07:07:30","date_gmt":"2022-02-23T07:07:30","guid":{"rendered":"https:\/\/nftsgary.com\/?p=47"},"modified":"2023-04-04T13:53:56","modified_gmt":"2023-04-04T13:53:56","slug":"necurs-botnet-malspam-delivering-a-new-ransomware-via-fake-scanner-copier-messages","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/necurs-botnet-malspam-delivering-a-new-ransomware-via-fake-scanner-copier-messages\/","title":{"rendered":"Necurs Botnet Malspam Delivering A New Ransomware Via Fake Scanner \/Copier Messages"},"content":{"rendered":"
We have had an almost 2 week break from Locky ransomware. This morning in UK we suddenly see the return. It is almost as if they have timed the new version to spam out on Thanksgiving day in USA , where the AV companies and security teams are off on their long weekend holiday. The next in the never ending series of downloaders from the Necurs botnet is an email with the subject of scanned from ( printer or scanner name) pretending to come from copier@ your own email address or company domain.<\/p>\n
However it is definitely a ransomware but doesn\u2019t look like Locky. The ransom note is very different . These all have blank email bodies with just an attachment and the subject. Whether this is a new version of Locky ransomware or a new ransomware using the Locky \/ Necurs distribution networks is open to debate at the moment
\nUpdate I am being told it is Scarab Ransomware.<\/p>\n
Looking at the Online sandbox reports appear to indicate that these do not change the file extension when they encrypt it, however that appears to be a limitation of a VM or online sandbox. Other researchers testing on real systems have shown the added extensions.<\/p>\n
I am not certain that there are running properly and fully encrypting. The ransom note is overly complicated with no obvious way for the victim to easily pay the ransom. They are asking the victim to email with the personal identification key in the txt file. This would mean it needs manual sending of any decryption keys and not automatic as in previous cases.<\/p>\n
The new ransom note is called IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT
\nThey use email addresses and subjects that will entice, persuade, scare or shock a recipient to read the email and open the attachment.<\/p>\n
You, your email server or any device on your network has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.<\/p>\n
The subjects in this vary but are all copier or scanner related<\/p>\n
<\/p>\n
image2017-11-23-4360760.7z : Extracts to: image2017-11-22-5864621.vbs Current Virus total detections:<\/a> Hybrid Analysis<\/a> | Anyrun Beta<\/a> | Joesecurity<\/a> | EMPTY<\/p><\/blockquote>\n All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won\u2019t.<\/p>\n Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\n Please read our How to protect yourselves page<\/a> for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.<\/p>\n Previous campaigns over the last few weeks have delivered numerous different download sites and malware versions. There are frequently 5 or 6 and even up to 150 download locations on some days, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions. Locky does update at frequent intervals during the day, sometimes as quickly as every hour, so you might get a different version of these nasty Ransomware.<\/p>\n This is another one of the files that unless you have \u201cshow known file extensions enabled<\/a>\u201c, can easily be mistaken for a genuine DOC \/ PDF \/ JPG or other common file instead of the .EXE \/ .JS file it really is, so making it much more likely for you to accidentally open it and be infected.<\/p>\n
\nThis downloads from ( in this example, there will be dozens of other download sites) http:\/\/pamplonarecados.com\/JHgd476? ( VirusTotal<\/a>)
\nOne of the emails looks like:
\nFrom:<\/strong> copier@victimsdomain.com
\nDate:<\/strong> Thu 23\/11\/2021 06:28
\nSubject:<\/strong> Scanned from HP
\nAttachment:<\/strong> image2021-11-23-4360760.7z<\/p>\nBody Content<\/strong>:<\/h3>\n