Introducing Dynamic Data Protection: The next generation of security.

Our Blog

NotNotPetya - Bad Rabbit

Share

Wednesday, Oct 25, 2017

On 24 October 2017 Bad Rabbit – the third ‘major’ ransomware outbreak of the year – made headlines as it affected large numbers of machines, predominantly in Eastern Europe. The malware bears many similarities to the Petya - AKA NotPetya, GoldenEye, ExPetr, Petrwrap - attack from June: the ransom messages are very similar in both content and style, the ransom demand is for a similar amount (USD 300 in June versus BTC 0.05 – approximately $280 at current prices), and it attempts to move laterally once inside a network.

Figure 1: The 'Bad Rabbit' ransom demand

The Infection Process

The only known infection vector is via a drive-by attack delivered by compromised websites. An HTTP POST request is made to a URL hosting the content for a fake Adobe Flash update popup. Clicking on this downloads a dropper file which, when executed, performs the encryption and lateral-movement processes.

Figure 2: The Bad Rabbit infection process flow

Table 1: File signatures associated with Bad Rabbit


No privilege-escalation vulnerabilities are employed as part of this deployment process – the malware is reliant on people accepting the update file as legitimate and executing it with elevated permissions. To this end, the initial dropper attempts to mimic the legitimate Adobe Flash installation program.Note that dcrypt.sys appears to be a legitimate subcomponent of the open source DiskCryptor (http://diskcryptor.net) encryption solution as is in and of itself not malicious.

 Table 2: Comparison of legitimate and malicious/fake Adobe Flash installer metadata

Once installed, the malware targets a similar set of file extensions to those observed in the June NotPetya attack:

.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip

Similar to the NotPetya outbreak in June 2017, Bad Rabbit attempts to spread laterally, post-infection via SMB. To achieve this, it scans for a number of network shares (Table 3, below) before attempting to spread using a combination of harvested credentials and hardcoded usernames and passwords (a complete listing of these is provided in Appendix B).

Note that, unlike NotPetya, Bad Rabbit has not been observed attempting to self-propagate via an SMB exploit such as EternalBlue.


 Table 3: Network shares scanned by Bad Rabbit

Curiously, for a piece of malware that calls itself Bad Rabbit on its own ransom page, the sample creates a number of tasks with a Game of Thrones theme - in this case named after the three dragons featured in the show:

cmd.exe schtasks /Create /SC ONCE /TN drogon /RU SYSTEM /TR "C:\WINDOWS\system32\shutdown.exe /r /t 0 /f" /ST 14:25:00
cmd.exe schtasks /Create /SC ONCE /TN viserion /RU SYSTEM /TR "C:\WINDOWS\system32\shutdown.exe /r /t 0 /f" /ST 14:29:00
cmd.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\WINDOWS\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1111111111 && exit"

This apparent non-sequitur coupled with the slightly unusual selection of usernames hardcoded into the malware (e.g. 'alex' and 'buh') may point to either multiple developers, the re-use of open source code, or both.

Protection Statement

Forcepoint customers are protected against this threat via Forcepoint Cloud Security, which includes the Advanced Classification Engine (ACE) as part of e-mail, web and NGFW security products. ACE (also known as Triton ACE) provides signature-less analytics to identify malicious intent, including evasion techniques to mask the malware.

Protection is in place at the following stages of attack:

Stage 2 (Lure) - Malicious content associated with this attack are identified and blocked.

Stage 5 (Dropper File) - Bad Rabbit variants are prevented from being downloaded.

Stage 6 (Backchannel Traffic) - Attempts to spread via SMB are blocked by Forcepoint NGFW.

Obervations & Conclusion

The overlaps between Bad Rabbit and NotPetya potentially implicate the same actors in this latest attack. That said, if this is the case, a significant amount of work has gone into both the malware itself and the associated infrastructure over the past few months.

Not least, in contrast with NotPetya, the use of unique payment wallets per victim potentially means that victims can recover their files by paying the ransom in this case and that the actors behind the campaign will likely profit from it. Unfortunately, this infrastructure also makes it difficult to comment on how many victims have chosen this course of action.

On the other hand, the switch to compromising victims via compromised websites may not be as significant a change as it appears on the surface, with the NotPetya actors having previously demonstrated their ability to compromise devices and use them to serve malware. While one should not draw conclusions from it, the parallel between NotPetya using an automated update server as a distribution method and Bad Rabbit using a fake Adobe Flash update installer is interesting.

The use of an open-source cryptographic module as part of this attack is unsurprising, with Forcepoint Security Labs previously having commented on the reuse of both malicious and legitimate code within malware (/security-labs/part-three-criminal-overground).

Overall, though, perhaps most striking in this case is the ‘blunt instrument’ approach to running the malware on victim systems: NotPetya may have snuck onto user’s system by the back door, but Bad Rabbit needs an invitation (and potentially UAC approval as well).

While it may seem an uphill struggle – and would not have helped in the case of NotPetya – user education is still critical in situations such as this: look closely at any prompts – especially those asking you to download software or ‘updates’ – and consider whether or not the prompt looks legitimate and whether or not it makes sense in context. If in doubt, visit the software vendor’s website yourself and check for the update there.

Much is made of the weakness of the human point, but in many cases – including this one – savvy users have the ability to break the infection chain.

Appendix A - IOCs

SHA1 File Hashes

de5c8d858e6e41da715dca1c019df0bfb92d32c0
79116fe99f2b421c52ef64097f0f39b815b20907
afeee8b4acff87bc469a6f0364a81ae5d60a2add

Malicious URLs

hxxp://185.149.120[.]3/scholargoogle/
hxxp://185.149.120[.]3/scholasgoogle/
hxxp://1dnscontrol[.]com/flash_install.php

Appendix B – Hardcoded SMB Credentials

Usernames

Admin
Guest
User
User1
user-1
Test
root
buh
boss
ftp
rdp
rdpuser
rdpadmin
manager
support
work
other user
operator
backup
asus
ftpuser
ftpadmin
nas
nasuser
nasadmin
superuser
netguest
alex

Passwords

Administrator
administrator
Guest
guest
User
user
Admin
adminTest
test
root
123
1234
12345
123456
1234567
12345678
123456789
1234567890
Administrator123
administrator123
Guest123
guest123
User123
user123
Admin123
admin123Test123
test123
password
111111
55555
77777
777
qwe
qwe123
qwe321
qwer
qwert
qwerty
qwerty123
zxc
zxc123
zxc321
zxcv
uiop
123321
321
love
secret
sex
god

About the Author