The first time I read about #BadRabbit, it reminded me of the movie Secret Life of Pets. I wonder if the malware namers thought of the same.
After Wannacry and Petya/Not Petya/GoldenEye, its clear that Ukraine is a testing ground for everyone to try out their malware, program different variants and perfect before launching to target their final destination.
Today, we have BadRabbit and DiskCoder. When we first read about them this morning, we thought they are two separate malwares. On deeper analysis, they are both the same.
ESET reported earlier today said that several transportation organizations in Ukraine and as well as some governmental organizations had suffered a cyberattack, resulting in some computers becoming encrypted, public sources have confirmed that computer systems in the Kiev Metro, Odessa airport and also a number of organizations in Russia were affected.
They discovered that in the case of the Kiev Metro, the malware used for the cyberattack was Diskcoder.D, — a new variant of ransomware known also as Petya. The previous variant of Diskcoder was used in a damaging cyberattack on a global scale in June, 2017.
One of the distribution method of Bad Rabbit is via drive-by download. Some popular websites are compromised and have JavaScript injected in their HTML body or in one of their .js file.
In an analyzed version, the script reports the following to 185.149.120[.]3, which doesn’t seem to respond at the moment. There is also information about:
- Browser User-Agent
- Referrer
- Cookie from the visited site
- Domain name of the visited site
Server side logic can determine if the visitor is of interest and then add content to the page. In that case, what we have seen is that a popup asking to download an update for Flash Player is shown in the middle of the page.
When clicking on the “Install” button, download of an executable file from 1dnscontrol[.]com is initiated. This executable file, install_flash_player.exe is the dropper for Win32/Filecoder.D.
Finally the computer is locked and show the ransom note:
And then the very creative payment page:
So far we know of this malware to be spreading via SMB and through the flashplayer update.
As opposed to some public claims, it does not use the EthernalBlue vulnerability like the Win32/Diskcoder.C (Not-Petya) outbreak. First, it scans internal network for open SMB shares. It looks for the following shares:
- admin
- atsvc
- browser
- eventlog
- lsarpc
- netlogon
- ntsvcs
- spoolss
- samr
- srvsvc
- scerpc
- svcctl
- wkssvc
Mimikatz is launched on the compromised computer to harvest credentials. A hardcoded list username and password is also present.
When working credentials are found, the infpub.dat file is dropped into the Windows directory and executed trough SCManager and rundll.exe.
Encryption
Win32/Diskcoder.D is modified version of Win32/Diskcoder.C. Bugs in file encryption were fixed. The encryption now uses DiskCryptor, an open source legitimate software used to do full drive encryption. Keys are generated using CryptGenRandom and then protected by hardcoded RSA 2048 public key.
Which makes it curious because the sample metadata uploaded on VirusTotal shows copyright belonging to DiskCryptor.
Encrypted files have extension .encrypted. Like before, AES-128-CBC is used.
Distribution
Interestingly, ESET telemetry shows that Ukraine accounts only for 12.2% of the total number of times we have seen the dropper component Here are the statistics:
- Russia: 65%
- Ukraine: 12.2%
- Bulgaria: 10.2%
- Turkey: 6.4%
- Japan: 3.8%
- Other: 2.4%
This pretty much match the distribution of compromised websites that include the malicious JavaScript. So why Ukraine seems to be more hit than the rest?
It’s interesting to note that all these big companies were all hit at the same time. It is possible that the group already had foot inside their network and launched the watering hole attack at the same time as a decoy.
Coverage
The good news is that this morning only 9/66 AV companies had signatures for the malware as of this morning. The bad news, as of right now only 27/66. Why its taking so long for the other companies, we dont really know.
Indicators of Compromise
As always, we have Indicators of Compromise to share with all of you:
Indicator type |
Indicator |
domain |
1dnscontrol.com |
domain |
an-crimea.ru |
domain |
ankerch-crimea.ru |
domain |
argumenti.ru |
domain |
argumentiru.com |
domain |
caforssztxqzf2nm.onion |
domain |
da.id |
domain |
i24.com.ua |
domain |
most-dnepr.info |
domain |
osvitaportal.com.ua |
domain |
spbvoditel.ru |
domain |
xhr.open |
URL |
http://185.149.120.3/scholargoogle/ |
URL |
http://1dnscontrol.com/flash_install.php |
URL |
http://an-crimea.ru |
URL |
http://ankerch-crimea.ru |
URL |
http://argumenti.ru |
URL |
http://argumentiru.com |
URL |
http://bg.pensionhotel.com |
URL |
http://blog.fontanka.ru |
URL |
http://caforssztxqzf2nm.onion |
URL |
http://calendar.fontanka.ru |
URL |
http://grupovo.bg |
URL |
http://i24.com.ua |
URL |
http://most-dnepr.info |
URL |
http://novayagazeta.spb.ru |
URL |
http://osvitaportal.com.ua |
URL |
http://spbvoditel.ru |
URL |
http://www.aica.co.jp |
URL |
http://www.fontanka.ru |
URL |
http://www.grupovo.bg |
URL |
http://www.imer.ro |
URL |
http://www.mediaport.ua |
URL |
http://www.online812.ru |
URL |
http://www.otbrana.com |
URL |
http://www.pensionhotel.cz |
URL |
http://www.sinematurk.com |
URL |
http://www.t.ks.ua |
hostname |
bg.pensionhotel.com |
hostname |
blog.fontanka.ru |
hostname |
calendar.fontanka.ru |
hostname |
novayagazeta.spb.ru |
hostname |
www.aica.co.jp |
hostname |
www.fontanka.ru |
hostname |
www.grupovo.bg |
hostname |
www.imer.ro |
hostname |
www.mediaport.ua |
hostname |
www.online812.ru |
hostname |
www.otbrana.com |
hostname |
www.pensionhotel.cz |
hostname |
www.sinematurk.com |
hostname |
www.t.ks.ua |
FileHash-SHA1 |
16605a4a29a101208457c47ebfde788487be788d |
FileHash-SHA1 |
413eba3973a15c1a6429d9f170f3e8287f98c21c |
FileHash-SHA1 |
4f61e154230a64902ae035434690bf2b96b4e018 |
FileHash-SHA1 |
79116fe99f2b421c52ef64097f0f39b815b20907 |
FileHash-SHA1 |
afeee8b4acff87bc469a6f0364a81ae5d60a2add |
FileHash-SHA1 |
de5c8d858e6e41da715dca1c019df0bfb92d32c0 |
IPv4 |
185.149.120.3 |
Header Image from: https://pm1.narvii.com
Read more:
https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/
http://blog.talosintelligence.com/2017/10/bad-rabbit.html
https://researchcenter.paloaltonetworks.com/2017/10/threat-brief-information-bad-rabbit-ransomware-attacks/
http://www.bbc.com/news/technology-41740768
Bad Rabbit ransomware outbreak