BadRabbit ransomware hits Eastern Europe

This is what we know so far

BadRabbit ransomware hits Eastern Europe

A new ransomware outbreak hits Eastern Europe again. On the 24th of October 2017 several (infrastructural) organizations such as the Kiev Metro and Russian media outlets were hit by a cyber attack. It appears to be mostly spreading within Russia, Ukraine, Bulgaria and Turkey for now. Currently there are no signs of infections in the Netherlands. Initial analysis shows many similarities with the NotPetya outbreak in June of 2017. Investigation by our cyber analysts is ongoing, this is what we know so far:

Infection

Initial infection appears to have occurred through a so called watering hole attack. Several websites have been compromised and have had malicious code added, which allows the attackers to selectively infect victims. ESET published a large list of compromised websites with their analysis of BadRabbit, including an analysis of the malicious JavaScript present on the compromised websites. When a victim is selected, a popup is created indicating that an update for Flash is available. When clicking on the “Install” button, an executable is downloaded from the domain 1dnscontrol.com. The executable, “install_flash_player.exe”, is the malicious dropper for this ransomware.

When the victim manually starts install_flash_player.exe, it creates the file C:\Windows\infpub.dat, which is then started using rundll32. The naming is similar to NotPetya. Back then the file was called perfc.dat.

The overall actions performed by infpub.dat is as follows:

  • A copy of DiskCryptor dcrypt.sys driver is installed in C:\Windows\cscc.dat and installed as a Windows service called “Windows Client Side Caching DDriver”. A 32bit and 64bit version are included, and installed according to the system architecture.
  • The malicious executable dispci.exe is installed in C:\Windows. This executable, in combination with the cscc.dat driver, is responsible for the disk encryption and ransom screen.
  • A scheduled task called “rhaegal” (appears to be a reference to the Game of Thrones series) is created that launches the dispci.exe when the user logs on to the computer.
  • Another scheduled task called “drogon” is created to shut down the computer.
  • Password acquiring happens in a similar manner like NotPetya, with the use of “Mimikatz” (a tool for gathering passwords from Windows systems, for example from memory). Additionally, a list of common used usernames and passwords is also utilized.
  • The local network is scanned and infected in a similar manner to NotPetya.
  • Regular file encryption happens in a similar manner to NotPetya.

Comparison against the earlier NotPetya outbreak

This variant shares a lot of similarities with NotPetya. The overall program structure is similar, and many of the same actions are performed. The main differences are in the encryption, spreading and payment process.

Differences in spreading

All of the scanning methods are the same as NotPetya. The main difference is in how this variant executes its payload on the target system. NotPetya had 3 methods: PSEXEC, WMIC and using the EternalBlue exploit. This variant appears to have three methods as well, although PSEXEC and EternalBlue are no longer present in this variant. The methods for this variant include WMIC, Remote Service creation and another method involving manually crafted SMB packets. At this time, it appears this latter method attempts to create a service as well, but uses a predefined list of common usernames and passwords for authentication, as well as attempting to use multiple different shares.

Differences in encryption

The individual file encryption routine as it existed in NotPetya is still present. The main difference is that this variant no longer makes use of MBR code to encrypt the MFT. Instead, it now seems to use DiskCryptor to encrypt the disk. The dispci.exe executable is responsible for the encryption process, while cscc.dat is the DiskCryptor driver. The dispci.exe executable is also responsible for writing the custom bootloader to disk, which in turn displays the ransom screen at boot.

Differences in payment

The NotPetya outbreak in June 2017 used a single email address for payment, which was quickly disabled. This variant seems to use a Tor-based payment page, which is more common for ransomware. When the key from the ransom note is submitted on the website, the victim is given a unique Bitcoin address to send their payment to.

Just as with any other ransomware infection, it’s not advisable to pay the ransom. There is no guarantee that the attacker will actually give you the decryption key for your files.

Detection

To detect an active infection in the network one of the following IOC’s can be used:

Payment site: caforssztxqzf2nm.onion

Inject URL: 185.149.120.3/scholargoogle/

Distribution URL: 1dnscontrol.com/flash_install.php

IP of 1dnscontrol.com at the time the attack was active: 5.61.37.209

The malware also attempts to access the IPC$ share over SMB, which also be useful as an indicator of compromise. Attempts of running rundll32.exe using WMIC, or installing a new service with rundll32.exe as the executable is also a good indicator.

Fox-IT’s network sensors currently detect all used spreading methods, also before the outbreak.

Prevention

Just like with NotPetya, it’s possible to preemptively stop the spreading of this specific ransomware variant by creating some files in the C:\Windows directory. Specifically the “infpub.dat” and “cscc.dat” file, when created with read-only flags are reportedly sufficient to stop the spreading. Please note that this is no fool-proof method, since just like NotPetya, this variant uses the executable name for spreading. It just so happens that infpub.dat is the hardcoded name given by the install_flash_player.exe dropper.

Related files

  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da – install_flash_player.exe – Dropper
  • 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 – infpub.dat – Main executable. Spreader and file crypter
  • 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806 – cscc.dat – DiskCryptor driver (32bit)
  • 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 – cscc.dat – DiskCryptor driver (64bit)
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 – dispci.exe -Disk encryption module, communicates with DiskCryptor driver and writes the custom bootloader to disk, which in turn displays the ransom screen at boot

Now at Fox-IT

Contact us

+31 (0) 15 284 79 99

fox@fox-it.com

Delft