{"id":12997,"date":"2022-04-12T05:48:39","date_gmt":"2022-04-12T05:48:39","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=12997"},"modified":"2023-04-03T09:45:20","modified_gmt":"2023-04-03T09:45:20","slug":"fake-prime-express-travel-statement-delivers-globeimposter-ransomware","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/fake-prime-express-travel-statement-delivers-globeimposter-ransomware\/","title":{"rendered":"Fake Prime Express Travel Statement Delivers Globeimposter Ransomware"},"content":{"rendered":"
The next in the never ending series of malware downloaders from the Necurs botnet is an email with the subject of Outstanding Statement pretending to come from Prime Express Oldham <sales62@primeexpressuk.com> ( random numbers after sales) delivering Globeimposter ransomware<\/p>\n
They use email addresses and subjects that will entice, persuade, scare or shock a recipient to read the email and open the attachment.<\/p>\n
Prime Express Oldham \/ www.primeexpressuk.com has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.<\/p>\n
The phone number in the body of the email is random and does not belong to Prime Express Travel. Please don\u2019t ring any of the numbers all you will do is end up with an innocent person or company<\/p>\n
You can now submit suspicious sites, emails and files via our Submissions system<\/strong><\/p>\n Customer Statement (122017_6816162).7z : Extracts to: Customer Statement (122017_51767638).js Current Virus total detections: Hybrid Analysis | Anyrun Beta |<\/p>\n This js file downloads from http:\/\/www.upperlensmagazine.com\/tOldHSYW??DVTCGAtym=DVTCGAtym ( VirusTotal) As usual there will be 6 or 8 other download sites<\/p>\n One of the emails looks like:<\/p>\n From:<\/strong> Prime Express Oldham <sales62@primeexpressuk.com><\/p>\n Date:<\/strong> Fri 22\/12\/2021 11:01<\/p>\n Subject:<\/strong> Outstanding Statement<\/p>\n Attachment<\/strong>: Customer Statement (122017_6816162).7z<\/p>\n Dear Customer<\/em><\/p>\n Your invoice is attached. Please remit payment at your earliest<\/em><\/p>\n convenience.<\/em><\/p>\n Thank you for your business \u2013it is very much appreciated.<\/em><\/p>\n Sincerely,<\/em><\/p>\n PRIME EXPRESS TRAVEL<\/em><\/p>\n 0101 900 1079<\/em><\/p>\n All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won\u2019t.<\/p>\n Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\n Please read our How to protect yourselves page<\/a> for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.<\/p>\n Previous campaigns over the last few weeks have delivered numerous different download sites and malware versions. There are frequently 5 or 6 and even up to 150 download locations on some days, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions. Locky does update at frequent intervals during the day, sometimes as quickly as every hour, so you might get a different version of these nasty Ransomware.<\/p>\nBody Content:<\/strong><\/h3>\n
Screenshot:<\/strong><\/h3>\n