Necurs botnet delivers GlobeImposter via malicious emails

by Linas Kiguolis - - 2017-12-01

Necurs is alive again and pushes GlobeImposter through fake invoices

Necurs deliver Globe Imposter virus via malicious email attachments

While the wave of Necurs has stopped on November 23, IT analysts have noticed another flow of spam emails being sent by the botnet. The malicious campaign was pushing fake invoices to distribute GlobeImposter ransomware^[1] for 12 hours on November 30, 2017^[2].

Delivered letters were sent from Invoicing and imitated legitimate or even well-known brands. The subject line of the email said FL-[random numbers] 11.30.2017 or Emailing-[random numbers]. However, the body content was empty except holding a .7z attachment^[3]. Experts report that it contained VBS files used to drop the infamous Globe Imposter virus.

The crooks managed to hack into legitimate domains to compromise them and use in ransomware distribution. Cybersecurity experts submit the following directories which might be hosting GlobeImposter:

summi.space;
hxxp://mh-service.ru/JHGcd476334?;
hxxp://datenhaus.info/JHGcd476334?;
hxxp://awholeblueworld.com/JHGcd476334?;
hxxp://accessyouraudience.com/JHGcd476334?;
n224ezvhg4sgyamb.onion.rip;
hxxp://yamanashi-jyujin.jp/JHGcd476334?;
hxxp://hexacam.com/JHGcd476334?;
hxxp://bit-chasers.com/JHGcd476334?;
hxxp://alucmuhendislik.com/JHGcd476334?.

Ransomware encrypts data and asks to pay a ransom in exchange for recovering files

If the victims open the malicious attachment, they trigger an automatic Globe Imposter download^[4]. After it is on the system, it starts data encryption and appends ..doc file extension to the compromised data. To recover the encoded information, victims are asked to pay 0.102 Bitcoin ransom which is approximately $1000.

The ransom note appears as READ__ME.html file and states the following:

Free decryption as guarantee.
Before paying you can send us 1 file for free decryption.
To send a message or file use this link.

To buy the decryptor, you must pay the cost of 0.102 Bitcoin.
You have 2 days for the payment.
After finishing offer, decryptor cost will be 0.204 Bitcoin.

Despite the fact that criminals urge to make a payment or the ransom will double, they also demand to provide the real email address after the victim makes a transaction. It is clear that they collect the information to continue Necurs botnet malicious activity in the future.

Experts have discovered a fraction of the bogus domains from which GlobeImposter was distributed:

Invoicing <Invoicing@tarragona.tinet.org>;
Invoicing <Invoicing@mpatransportes.com.br>;
Invoicing <Invoicing@jolijtransport.nl>;
Invoicing <Invoicing@bruceandleslie.com>;
Invoicing <Invoicing@b-carpentry.com>;
Invoicing <Invoicing@pinnacleminds.com.sg>;
Invoicing <Invoicing@leofricbuildings.co.uk>;
Invoicing <Invoicing@dorukcar.com>;
Invoicing <Invoicing@bournemedia.co.uk>;
Invoicing <Invoicing@ambiflex.com>.

Protect yourself from ransomware attacks

Since Globe Imposter virus has employed Necurs botnet to spread via spam emails, we encourage you to attentively check the addresses provided above and never open letters sent from them. In fact, do not click on emails sent from anyone you don't know.

Besides, hackers might manage to hack into social media accounts and distribute infected links or attachments as well^[5]. Usually, they compose a shallow message like “Lol, check this out! [malicious link]” and send it to everyone on the friend list. Likewise, you should carefully monitor your activity on the Internet and contact your peers in person if you have any doubts.

Additionally, it is essential to use a powerful security software all the time! It will not only protect you from ransomware infiltration but also help remove one if it sneaks into your computer. Note that regular updates are a necessity since they will remove system vulnerabilities which are used to infect the systems.

However, if you have already been infected by GlobeImposter, do not pay the ransom or provide your email address. Instead, remove the virus with an anti-malware tool and try to retrieve the corrupted files using alternative recovery methods. Remember that you should store backups to protect your data^[6]. They will help you to restore information in case of ransomware.

About the author

Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions

References

^ Linas Kiguolis. Globe Imposter ransomware virus. How to remove? (Uninstall guide). 2-spyware. Security and spyware news.
^ Necurs botnet malspamming globeimposter ransomware via fake invoices. My Online Security. Keep yourself safe online.
^ Necurs Botnet Malspam Pushes GlobeImposter Ransomware. Malware Traffic Analysis. A Source of Pcap Files and Malware Samples.
^ Spam, BEC, Ransomware. The Continuing Abuse of Email by Old and New Threats. Trend Micro. Enterprise Cyber Security Solutions.
^ What Happens to Hacked Social Media Accounts. Tripwire. Advanced Threat Detection & File Integrity Monitoring.
^ Information about Backups. UPF. Pompeu Fabra University.