{"id":10928,"date":"2022-04-12T06:20:21","date_gmt":"2022-04-12T06:20:21","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=10928"},"modified":"2023-04-04T13:13:59","modified_gmt":"2023-04-04T13:13:59","slug":"more-necurs-botnet-sent-fake-invoices-deliver-malware","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/more-necurs-botnet-sent-fake-invoices-deliver-malware\/","title":{"rendered":"More Necurs Botnet Sent Fake Invoices Deliver Malware"},"content":{"rendered":"
The next in the never ending series of malware downloaders being sent from the Necurs botnet is a typical generic spam email with the subject of Copy of Invoice 487391( random numbers) pretending to come from Customer Service <service@randomdomain.tld>. There is no attachment with these today, just a link in the email body to a variety of compromised sites<\/p>\n
The link will always go to <site name>\/invoice.html which uses an iframe to download a random numbered invoice.js from http:\/\/wittinhohemmo.net\/invoice.php<\/strong> ( this site has been used in this malware campaign for at least 1 week now )<\/p>\n The js filed is different to the ones we have been seeing so far this week, they are much smaller ( about 5kb) and using trivially obfuscated reverse strings to \u201chide\u201d the download sites<\/p>\n Sites I found are:<\/p>\n http:\/\/multila.com\/HJGFjhece3.exe<\/strong> They use email addresses and subjects that will entice a user to read the email and follow the link .<\/p>\n Invoice-671398.js Current Virus total detections: Payload Security | HJGFjhece3.exe ( VirusTotal) ( Payload Security )<\/p>\n I cannot work out if this is Trickbot or Locky today so far. The behaviour so far seen doesn\u2019t exactly match either malware. It might be damaged or not working properly or some sort of anti-sandbox \/VM protection to it. My gut feeling is Trickbot based on similar behaviour over the last few days when run in a sandbox or VM<\/p>\n One of the emails looks like:<\/p>\n From:<\/strong> Customer Service <service@hpotextil.com.br><\/p>\n Date:<\/strong> Thu 14\/09\/2021 09:03<\/p>\n Subject:<\/strong> Copy of Invoice 487391<\/p>\n Please download file containing your order information. If you have any further questions regarding your invoice, please call Customer Service. Please do not reply directly to this automatically generated e-mail message. Thank you. Customer Service Department<\/em><\/p>\n All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won\u2019t. <\/span><\/p>\n Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/span><\/p><\/blockquote>\n
\nhttp:\/\/vereouvir.pt\/HJGFjhece3.exe<\/strong><\/p>\nBody Content<\/strong>:<\/h3>\n