ESET Asks Whether TeleBot’s Practice Makes Perfect – PETYA
Created: 2017-06-30 07:41:06
ESET, The global leader in cybersecurity research and development brings new findings concerning the possible origins of the latest outbreak of Petya-like Ransomware.
Longitudinal research points to similarities between multiple campaigns by the TeleBots cybercriminal group in Ukraine, and aspects of their evolving toolset in attacks between December 2016 and March 2017, and the Diskcoder.C (aka Petya) outbreak that took place June 27, 2017.
“The parallels to the December 2016 attack against financial institutions, and the subsequent development of a Linux version of KillDisk malware used by TeleBots are strong clues. It was these indicators, alongside mounting attacks on computer systems in Ukraine, that warranted a deeper look at TeleBots,” said Senior ESET Malware Researcher, Anton Cherepanov.
TeleBots modus operandi has consistently been the use of KillDisk to overwrite files with specific extensions to victims’ disks. Thus, collecting ransom was unlikely to be their primary goal, as target files were not so much as encrypted, but overwritten. While, subsequent attacks did see the addition of encryption, contact information and other features of ransomware, the incidents still stood apart.
In 2017, between January and March, TeleBots attackers compromised a software company in Ukraine using VPN tunnels and gained access to the internal networks of several financial institutions, revealing an enhanced arsenal of Python coded tools. During the final stages of that campaign, they pushed ransomware using stolen Windows credentials and SysInternals PsExec. ESET products detected this new ransomware as Win32/Filecoder.NKH. It was followed by Linux ransomware, detected as Python/Filecoder.R, predictably written in Python.
Next, TeleBots unleashed Win32/Filecoder.AESNI.C (referred to as XData) on May 18, 2017. Spread mostly in Ukraine via an update of M.E.Doc a widely used financial software in Ukraine. According to ESET LiveGrid®, the malware was created right after software execution, allowing it lateral movement, automatically, inside a compromised company LAN. Despite ESET publishing a decryption tool for Win32/Filecoder.AESNI, the event didn’t gain much attention.
However, on June 27, the Petya-like outbreak (Diskcoder.C) that has compromised so many systems in both critical infrastructure and other businesses in Ukraine and beyond, appeared and displayed the ability to replace Master Boot Record (MBR) with its own malicious code, code borrowed from Win32/Diskcoder.Petya ransomware.
Diskcoder.C’s authors have modified the MBR code so that recovery in not possible and while displaying payment instructions, as we now know, the information is useless. Technically, there are many improvements (see the blog post here). Critically, once the malware is executed it attempts to spread using infamous EternalBlue exploit, leveraging DoublePulsar kernel mode backdoor. Exactly same method used in WannaCry ransomware.
The malware is also capable of spreading the same way as Win32/Filecoder.AESNI.C (aka XData) ransomware, using a lightweight version of Mimikatz to obtain passwords, then executing the malware using SysInternals PsExec. In addition, attackers have implemented third method to spread using a WMI mechanism.
All three methods have been used to spread malware inside LANs. But, unlike WannaCry malware, in this case the EternalBlue exploit is used by Diskcoder.C malware only against computers within internal address space.
Tying TeleBots to this activity also means understanding why the infections took hold in other countries, seemingly breaking its strong focus on Ukraine. We’ve zeroed in on VPN connections between users of M.E.Doc, its customers, and their global business partners. Additionally, M.E.Doc has an internal messaging and document exchange system, so attackers could send spearphishing messages to victims. Attackers also had access to the update server supplying legitimate software. Using access to this server, attackers pushed malicious updates applied automatically without user interaction.
“With such deep infiltration of M.E.Doc’s infrastructure and its clientele, the attackers had deep resources to spread Diskcoder.C. Despite some “collateral damage”, the attack demonstrated a deep understanding of the resources at their disposal. Furthermore, the additional capabilities of the EternalBlue exploit kit have added a unique dimension that the cybersecurity community will increasingly have to grapple with,” further remarked Senior ESET Malware Researcher, Anton Cherepanov.
About ESET
ESET®, the pioneer of proactive protection and the maker of the award-winning ESET NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 26 years, the Company continues to lead the industry in proactive threat detection. By obtaining the 80th VB100 award in June 2013, ESET NOD32 technology holds the record number of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. In addition, ESET NOD32 technology holds the longest consecutive string of the VB100 awards of any AV vendor. ESET has also received a number of accolades from AV-Comparatives, AV-TEST and other testing organisations and reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET Cyber Security® (solution for Mac), ESET® Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world.
ESET recently updated its two-factor authentication (2FA) application, adding a secure validation to weak and static user passwords. This updated version of ESET’s 2FA application provides flexibility and deeper integration of 2FA into bespoke applications, making it the best cost-effective solutions for SMBs everywhere.
The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries. For more information visit https://eset.version-2.sg/ or follow us on Facebook.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. Headquartered in Hong Kong, the Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
For more information, please visit www.version-2.com.sg or call (65) 6296-4268.
Join ESET at Facebook