NotNotPetya - Bad Rabbit
On 24 October 2017 Bad Rabbit – the third ‘major’ ransomware outbreak of the year – made headlines as it affected large numbers of machines, predominantly in Eastern Europe. The malware bears many similarities to the Petya - AKA NotPetya, GoldenEye, ExPetr, Petrwrap - attack from June: the ransom messages are very similar in both content and style, the ransom demand is for a similar amount (USD 300 in June versus BTC 0.05 – approximately $280 at current prices), and it attempts to move laterally once inside a network.
Figure 1: The 'Bad Rabbit' ransom demand
The Infection Process
The only known infection vector is via a drive-by attack delivered by compromised websites. An HTTP POST request is made to a URL hosting the content for a fake Adobe Flash update popup. Clicking on this downloads a dropper file which, when executed, performs the encryption and lateral-movement processes.
Figure 2: The Bad Rabbit infection process flow
Table 1: File signatures associated with Bad Rabbit
No privilege-escalation vulnerabilities are employed as part of this deployment process – the malware is reliant on people accepting the update file as legitimate and executing it with elevated permissions. To this end, the initial dropper attempts to mimic the legitimate Adobe Flash installation program.Note that dcrypt.sys appears to be a legitimate subcomponent of the open source DiskCryptor (http://diskcryptor.net) encryption solution as is in and of itself not malicious.
Table 2: Comparison of legitimate and malicious/fake Adobe Flash installer metadata
Once installed, the malware targets a similar set of file extensions to those observed in the June NotPetya attack:
.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip
Similar to the NotPetya outbreak in June 2017, Bad Rabbit attempts to spread laterally, post-infection via SMB. To achieve this, it scans for a number of network shares (Table 3, below) before attempting to spread using a combination of harvested credentials and hardcoded usernames and passwords (a complete listing of these is provided in Appendix B).
Note that, unlike NotPetya, Bad Rabbit has not been observed attempting to self-propagate via an SMB exploit such as EternalBlue.
Table 3: Network shares scanned by Bad Rabbit
Curiously, for a piece of malware that calls itself Bad Rabbit on its own ransom page, the sample creates a number of tasks with a Game of Thrones theme - in this case named after the three dragons featured in the show:
cmd.exe schtasks /Create /SC ONCE /TN drogon /RU SYSTEM /TR "C:\WINDOWS\system32\shutdown.exe /r /t 0 /f" /ST 14:25:00 cmd.exe schtasks /Create /SC ONCE /TN viserion /RU SYSTEM /TR "C:\WINDOWS\system32\shutdown.exe /r /t 0 /f" /ST 14:29:00 cmd.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\WINDOWS\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1111111111 && exit"
This apparent non-sequitur coupled with the slightly unusual selection of usernames hardcoded into the malware (e.g. 'alex' and 'buh') may point to either multiple developers, the re-use of open source code, or both.
Forcepoint customers are protected against this threat via Forcepoint Cloud Security, which includes the Advanced Classification Engine (ACE) as part of e-mail, web and NGFW security products. ACE (also known as Triton ACE) provides signature-less analytics to identify malicious intent, including evasion techniques to mask the malware.
Protection is in place at the following stages of attack:
Stage 2 (Lure) - Malicious content associated with this attack are identified and blocked.
Stage 5 (Dropper File) - Bad Rabbit variants are prevented from being downloaded.
Stage 6 (Backchannel Traffic) - Attempts to spread via SMB are blocked by Forcepoint NGFW.
Obervations & Conclusion
The overlaps between Bad Rabbit and NotPetya potentially implicate the same actors in this latest attack. That said, if this is the case, a significant amount of work has gone into both the malware itself and the associated infrastructure over the past few months.
Not least, in contrast with NotPetya, the use of unique payment wallets per victim potentially means that victims can recover their files by paying the ransom in this case and that the actors behind the campaign will likely profit from it. Unfortunately, this infrastructure also makes it difficult to comment on how many victims have chosen this course of action.
On the other hand, the switch to compromising victims via compromised websites may not be as significant a change as it appears on the surface, with the NotPetya actors having previously demonstrated their ability to compromise devices and use them to serve malware. While one should not draw conclusions from it, the parallel between NotPetya using an automated update server as a distribution method and Bad Rabbit using a fake Adobe Flash update installer is interesting.
The use of an open-source cryptographic module as part of this attack is unsurprising, with Forcepoint Security Labs previously having commented on the reuse of both malicious and legitimate code within malware (/security-labs/part-three-criminal-overground).
Overall, though, perhaps most striking in this case is the ‘blunt instrument’ approach to running the malware on victim systems: NotPetya may have snuck onto user’s system by the back door, but Bad Rabbit needs an invitation (and potentially UAC approval as well).
While it may seem an uphill struggle – and would not have helped in the case of NotPetya – user education is still critical in situations such as this: look closely at any prompts – especially those asking you to download software or ‘updates’ – and consider whether or not the prompt looks legitimate and whether or not it makes sense in context. If in doubt, visit the software vendor’s website yourself and check for the update there.
Much is made of the weakness of the human point, but in many cases – including this one – savvy users have the ability to break the infection chain.
Appendix A - IOCs
SHA1 File Hashes
de5c8d858e6e41da715dca1c019df0bfb92d32c0 79116fe99f2b421c52ef64097f0f39b815b20907 afeee8b4acff87bc469a6f0364a81ae5d60a2add
hxxp://185.149.120[.]3/scholargoogle/ hxxp://185.149.120[.]3/scholasgoogle/ hxxp://1dnscontrol[.]com/flash_install.php
Appendix B – Hardcoded SMB Credentials
Admin Guest User User1 user-1 Test root buh boss ftp rdp rdpuser rdpadmin manager support work other user operator backup asus ftpuser ftpadmin nas nasuser nasadmin superuser netguest alex
Administrator administrator Guest guest User user Admin adminTest test root 123 1234 12345 123456 1234567 12345678 123456789 1234567890 Administrator123 administrator123 Guest123 guest123 User123 user123 Admin123 admin123Test123 test123 password 111111 55555 77777 777 qwe qwe123 qwe321 qwer qwert qwerty qwerty123 zxc zxc123 zxc321 zxcv uiop 123321 321 love secret sex god