According to ProofPoint, the Necurs botnet is back in business and spewing a smarter version of Locky ransomware along with the Dridex banking Trojan.

It is estimated that Necurs is pushing out 80 to 100 million email messages each day. Each spam email has a zip attachment masquerading as an invoice. The botnet is said to be responsible for losses amounting to between $100,000 and $200,000 a day in criminal activity.

The body of the email reads as follows:

Dear (random name): Please find attached our invoice for services rendered and additional disbursements in the above-mentioned matter. Hoping the above to your satisfaction, we remain. Sincerely, (random name and title).

The zip attachment contains java script that will search the victims system to see if it is being run in a VM. It counts the number of cycles. “The malware compares the number of CPU cycles that it takes to execute certain Windows APIs. As you would expect, it takes more cycles in a VM environment to execute most Windows functions,” wrote Proofpoint.

Source: Threat Post