Hello, welcome to the Wednesday, April 7, 2021 edition of the Sansonite Storm Center's Stormcast. My name is Johannes Ulrich.

And then I'm recording from Jacksonville, Florida.

Jan today ran into an interesting piece of malicious email that delivered the Lockybot Info Steeler.

In itself, not really all that remarkable. Lockybot is well known, often described,

and essentially does harvest your system for information like passwords and tries to

exfiltrate that information.

The malware itself and EXE was delivered as a SIPP-I-S-O file and probably created with

the Nullsoft scriptable install system, a legitimate tool that you often find in order to create

Windows installers.

Now, one facet of this malware that Jan is explaining a little bit more detail is how they

actually created the from address.

In Outlook, at least, the from sender just shows the name, does not show an email address, which usually means that

the sender is in your address book.

And this, of course, gives the email that was otherwise not crafted very well, a little bit

more credibility by appearing to come from a known sender.

The trick here is to use a non-RFC compliant from address.

From addresses may include Unicode characters and can use various encodings, like, for example,

UTF8, but you're not really allowed to mix and match different encodings.

There's one exception where you may have multiple encodings, but then they have to be separated by a space,

and that's of course an often used to have the name encoded in Unicode like UTF8, then a space,

and then the email address in normal ASCII.

In this case, the attacker used a comma actually to separate the UTF8 encoded part from

...