The Necurs botnet has changed again today and appears to be delivering yet another ransomware version. I think today’s malware is some sort of ransomware but I am not 100% sure. I am seeing mixed results whether it is ransomware or Trickbot, so it could well be “one of them files” that delivers different versions according to your IP address & country.
Update: I am informed that this is definitely Trickbot banking trojan, not ransomware, although several antiviruses are detecting it as a ransomware version.
An email with the subject of Invoice RE-2017-12-12-00572 ( random numbers after the date) pretending to come from Amazon Marketplace <lqftdwbmxYYfT@marketplace.amazon.com> ( random characters before the @ ) with a malicious word doc attachment delivers what looks like some sort of ransomware
They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
To read the original article: