This campaign is nearly identical to yesterday’s Locky campaign Locky campaign, so today we’ll just get right to the differences and the IOCs.
Below is a screenshot of what an example of this malspam campaign looks like, in which the from address and the to address are identical:
Below are the details in the SMTP headers that can be used for identification and blocking on your SMTP gateways:
Received: from [126.96.36.199] ([188.8.131.52])Content-Type: multipart/mixed; boundary=”–_com.android.email_7844755908151083″
While the second payload URI returned the expected Locky payload (MD5: ACD788E3631943E41412C7A0D657AB67), the first payload URI returned something a little more interesting:
The properly returned executable from the second URI sends a POST to one of the following hardcoded C&C servers until one responds:
If none of the hardcoded C&C servers provide a valid response back to the infected machine, Locky will fall back to its DGA and will attempt to make the same POST request to each DGA domain until it receives a response. The CTIG observed the following DGA domains today on March 23, 2016:
The CTIG recommends blocking all of the above mentioned IOCs in your environment to proactively protect yourself from this threat.
Summary of IOCs: