{"id":10947,"date":"2022-04-08T03:55:51","date_gmt":"2022-04-08T03:55:51","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=10947"},"modified":"2023-04-04T13:54:47","modified_gmt":"2023-04-04T13:54:47","slug":"necurs-botnet-malspamming-globeimposter-ransomware-via-fake-invoices","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/necurs-botnet-malspamming-globeimposter-ransomware-via-fake-invoices\/","title":{"rendered":"Necurs Botnet Malspamming Globeimposter Ransomware Via Fake Invoices"},"content":{"rendered":"
Today\u2019s first set of downloaders from the Necurs botnet is an email with an empty body with the subject of FL-610025 11.30.2021 ( random numbers) pretending to come from Invoicing @ random email addresses<\/p>\n
Today it is Globeimposter not Locky ransomware being delivered via this malspam campaign from the Necurs botnet<\/p>\n
They use email addresses and subjects that will entice, persuade, scare or shock a recipient to read the email and open the attachment.<\/p>\n
You can now submit suspicious sites, emails and files via our Submissions system<\/strong><\/p>\n FL-610025 11.30.2017.7z : Extracts to: FL-432927.vbs Current Virus total detections: Hybrid Analysis | Anyrun Beta |<\/p>\n Downloads from http:\/\/datenhaus.info\/JHGcd476334? ( as usual there will be dozens of different download sites ( VirusTotal) ( Anyrun Beta)<\/p>\n One of the emails looks like:<\/p>\n From:<\/strong> Invoicing <Invoicing@random company ><\/p>\n Date:<\/strong> Thu 30\/11\/2021 09:18<\/p>\n Subject:<\/strong> FL-610025 11.30.2021<\/p>\n Attachment:<\/strong> FL-610025 11.30.2021.7z<\/p>\n Completely empty<\/em><\/p>\n All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won\u2019t. Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\nBody Content:<\/strong><\/h3>\n