Security
Security is top-of-mind, especially right here where Juniper experts share their insights on the latest security trends and breakthroughs
Juniper Employee , Juniper Employee Juniper Employee
Security
Bad Rabbit: the unrelenting ransomware attacks on the Eastern bloc
Oct 25, 2017

BadRabbit.png

 

Following the footsteps of WannaCry and NotPetya, Ukraine, Russia and a few other neighboring countries with Russian speaking communities have been yet again the target of a ransomware attack on Tuesday October 24. This attack was orchestrated from compromised Russian language news sites, which explains the victims geographical distribution. The malware encrypts the victim's files and disk before asking for payment of a ransom of 0.05BTC, which is roughly $250.

 

Infection Source

The compromised news sites were injecting malicious JavaScript that would show a popup posing as a flash updater to visitors of interest. If the visitor falls for the social engineering trick and accepts the download, a dropper would be downloaded from the site 1dnscontrol[.]com and saved as install_flash_player.exe. This file does not auto launch: the user has to manually launch it.

 

Infection Process 

Once the dropper is launched, it drops the malicious payload as infpub.dat, which is a DLL and starts it using the command:

rundll32 infpub.dat,#1 15

 

At the start of the ordinal function #1, it checks its current privileges and starts initializing variables. Those privileges will be required for the malware to impersonate the user and to reboot the system after encryption.

 

 Picture1.png

It then checks for the presence of a Mutex to make sure it doesn't run twice on the same host computer. The Mutex is built based on the hostname of the victim.

 

If the malware has “SeDebugPrivilege”, it drops the file ccsc.dat in the windows folder. This is a legitimate driver from the open source “DiskCryptor”. It is stored within its Resource section under the resource type “Strings” and its resource name is “7”. This driver is later on used by another dropped file, dispci.exe, for encrypting the drive.

 

Pictur2.png

Picture3.png

 

It then drops dispci.exe in the %windows% folder from its Resource section (Resource Name is "9")  and creates a scheduled task job named “rhaegal” that will execute dispci.exe every time the system reboots.

Picture4.png

And then it creates another scheduled task named “drogon” that will shutdown the system after a little while (after 18 minutes at a minimum). Presumably, this will give it enough time to spread laterally and encrypt the files.

Picture5.png

 

Then, in a bizarre move which is usually only seen in stealthy malware that seeks persistence, it creates a thread that will delete event logs and journals. As if it were necessary to cover its tracks after encrypting the victim's files!

Picture6.png

Harvesting Credentials

 

Bad Rabbit creates another thread that will scan the “Local Network”.

If it has “SeShutdownPrivilege” and “SeDebugPrivilege” it will invoke “Mimikatz” from its Resource “1”, which is a tool used by hackers to harvest credentials. First it will drop this tool as {random}.tmp in the %windows% folder then it will execute it as follows:

 

"""C:\Windows\A5AB.tmp"" \\.\pipe\{3A24C506-EE04-49B9-B857-954EFC8D030B}"

 

The argument in the form of a pipe is where it will store the harvested credentials.

 

Lateral Spread

After scanning the Local Network for SMB shares and harvesting credentials, it starts propagating through the available network shares using the harvested credentials as well as a list of hardcoded usernames and passwords typically found in installations of file systems. These are posted on pastebin:

Usernames:

Administrator, Admin, Guest, User, User1, user-1, Test, root, buh, boss, ftp, rdp, rdpuser, rdpadmin, manager, support, work, other, user, operator, backup, asus, ftpuser, ftpadmin, nas, nasuser, nasadmin, superuser, netguest, alex

 

Passwords:

Administrator, administrator, Guest, guest, User, user, Admin, adminTest, test, root, 123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 1234567890, Administrator123, administrator123, Guest123, guest123, User123, user123, Admin123, admin123, Test123, test123, password, 111111, 55555, 77777, 777, qwe, qwe123, qwe321, qwer, qwert, qwerty, qwerty123, zxc, zxc123, zxc321, zxcv, uiop, 123321, 321, love, secret, **bleep**, god.

 

Picture7.png

 

Upon successful propagation, the malware infpub.dat is dropped in the ADMIN$ folder which is %Windows% folder and executed using SCManager.

 

Picture8.pngPicture13.png

 

The remote execution will invoke the command:

C:\Windows\System32\rundll32.exe "C:\Windows\infpub.dat",#2 15

 

Ordinal #2 of infpub.dat will run ordinal #1.

 

Picture14.png

 

Picture15.png

 

File Encryption

Bad Rabbit embeds a list of file extensions to encrypt: 

 

.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip

 

It looks for files with these extensions throughout the drive except some folder: Windows, Program Files, ProgramData, AppData. 

 

Picture9.png

 

Once the file encryption process is completed, the ransomware creates a ransom note in C:\Readme.txt.

Picture10.png

 

Disk Encryption

 

Beyond file encryption, Bad Rabbit also performs a disk encryption. Disk encryption happens after reboot. The scheduled task “rhaegal” will run dispci.exe which will modify the bootloader. After the first reboot, the disk is not yet encrypted but only the bootloader is modified. On the next reboot, the modified bootloader will run which will then start encrypting your drive. It is during this time also where you will see the ransom message on your PC. You are no longer able to login to your computer at this point.

 

Detection

Both Juniper Sky ATP and Cyphort on-prem solutions detect this threat as seen in the screenshots below:

 

BadRabbitSkyATP.png

 BR-Cyphort1.png

badrabbit_skyatp.png

 

 BR-Cyphort2.png

 

Recommendations

As typical with ransomware, the damage this threat can cause is substantial depending on the value of the asset being compromised. We recommend that the following preventive measures be taken:

  • Back up data on volumes that are isolated in your network so they don't get themselves encrypted. Test those backups before you urgently need them.
  • Patch your systems swiftly (remember MS17-010?) and disable SMBv1.
  • Segment your networks.
  • Do not reuse passwords and enfore a strong password policy.
  • Deploy advated threat detection capable of seeing lateral movement.
  • Implement behavior based detection, signatures alone won't cut it.

 

 Many thanks to Paul Kimayong for reversing this malware and providing the detailed analysis.

 

Oct 26, 2017

 Well written article which clearly conveys 3 key points:

1.The need for network security(How a small investment will save super huge embarrassing losses for the org)

2. How Bad Rabbit works.

3.How Juniper's SKY (cloud) and Cyphort (on prem) can mitigate this attack.

 

A must share article with customers ! Kudos to the author and thank you. Please keep more of these coming !

Oct 31, 2017
Abrakham

Some advice from Caspersky lab in this case:

  • make sure that all protection mechanisms are activated as recommended; and that KSN and System Watcher components (which are enabled by default) are not disabled.
  • update the antivirus databases immediately.

The abovementioned measures should be sufficient. However, as additional precautions we advise the following:

  • restricting execution of files with the paths c:\windows\infpub.dat and C:\Windows\cscc.dat in Kaspersky Endpoint Security.
  • configuring and enabling Default Deny mode in the Application Startup Control component of Kaspersky Endpoint Security to ensure and enforce proactive defense against this and other attacks.

Kaspersky Lab products detect this threat with the following verdicts:

  • Trojan-Ransom.Win32.Gen.ftl
  • Trojan-Ransom.Win32.BadRabbit
  • DangerousObject.Multi.Generic
  • PDM:Trojan.Win32.Generic
  • Intrusion.Win.CVE-2017-0147.sa.leak

IOCs:
http://1dnscontrol[.]com/
fbbdc39af1139aebba4da004475e8839 – install_flash_player.exe
1d724f95c61f1055f0d02c2154bbccd3 – C:\Windows\infpub.dat
b14d8faf7f0cbcfad051cefe5f39645f – C:\Windows\dispci.exe

And alter source about the issue soft2secure.com/knowledgebase/bad-rabbit-ransomware

Feedback