Security researchers noted a follow up malspam campaign to the yesterday’s widespread campaign which was delivering Locky Ransomware.
Nevertheless, sometimes the payloads have been replaced with content placed seemingly by a vigilante aimed at stopping the infections. This campaign is rather similar to the latest Locky campaign, though there are some differences as well.
The details in the SMTP headers which can be used for identification and blocking on the SMTP gateways are provided bellow:
Received: from [188.8.131.52] ([184.108.40.206])Content-Type: multipart/mixed; boundary=”–_com.android.email_7844755908151083″
The above-mentioned activity is reminiscent of the work by a vigilante to disrupt TeslaCrypt and CryptoWall campaigns by replacing the ransomware executables with a legitimate and signed Avira installer.
The properly returned executable from the second URI sends a POST to one of the following hardcoded C&C servers until one responds:
In case none of the hardcoded C&C servers provide a valid response back to the infected machine, Locky ransomeware will fall back to its DGA and will attempt to make the same POST request to each DGA domain until it receives a response.
The security experts uncovered the following DGA domains:
The specialists recommend blocking all of the above mentioned IOCs in your environment in order to protect yourself from the threat.
Summary of IOCs (IP Addresses):