Bad Rabbit: Not-Petya is back with improved ransomware
Created: 2017-11-01 18:00:00
UPDATE (October 27 – 15:35 CEST): A new report suggested that EternalRomance – one of the leaked NSA tools – has been used to spread Diskcoder.D in the network. We were able to confirm this by installing the out-of-life-cycle patch MS17-010 (a patch addressing vulnerabilities misused by the leaked NSA exploits), which stopped the further spread of the malware via IPC share.
A new ransomware outbreak today and has hit some major infrastructure in Ukraine including Kiev metro. Here are some of the details about this new variant.
Drive-by download via watering hole on popular sites
One of the distribution method of Bad Rabbit is via drive-by download. Some popular websites are compromised and have JavaScript injected in their HTML body or in one of their .js file.
Here is a beautified version of the inject:
This script reports the following to 185.149.120[.]3, which doesn’t seem to respond at the moment.
- Browser User-Agent
- Referrer
- Cookie from the visited site
- Domain name of the visited site
Server side logic can determine if the visitor is of interest and then add content to the page. In that case, what we have seen is that a popup asking to download an update for Flash Player is shown in the middle of the page.
When clicking on the “Install” button, download of an executable file from 1dnscontrol[.]com is initiated. This executable file, install_flash_player.exe is the dropper for Win32/Diskcoder.D.
Finally the computer is locked and show the ransom note:
The payment page:
Spreading via SMB
Win32/Diskcoder.D has the ability to spread via SMB. As opposed to some public claims, it does not use the EternalBlue vulnerability like the Win32/Diskcoder.C (Not-Petya) outbreak. First, it scans internal network for open SMB shares. It looks for the following shares:
- admin
- atsvc
- browser
- eventlog
- lsarpc
- netlogon
- ntsvcs
- spoolss
- samr
- srvsvc
- scerpc
- svcctl
- wkssvc
Mimikatz is launched on the compromised computer to harvest credentials. A hardcoded list username and password is also present.
When working credentials are found, the infpub.dat file is dropped into the Windows directory and executed trough SCManager and rundll.exe.
Encryption
Win32/Diskcoder.D is modified version of Win32/Diskcoder.C. Bugs in file encryption were fixed. The encryption now uses DiskCryptor, an open source legitimate software used to do full drive encryption. Keys are generated using CryptGenRandom and then protected by hardcoded RSA 2048 public key.
Like before, AES-128-CBC is used.
Distribution
Interestingly, ESET telemetry shows that Ukraine accounts only for 12.2% of the total number of times we have seen the dropper component Here are the statistics:
- Russia: 65%
- Ukraine: 12.2%
- Bulgaria: 10.2%
- Turkey: 6.4%
- Japan: 3.8%
- Other: 2.4%
This pretty much match the distribution of compromised websites that include the malicious JavaScript. So why Ukraine seems to be more hit than the rest?
It’s interesting to note that all these big compagnies were all hit at the same time. It is possible that the group already had foot inside their network and launched the watering hole attack at the same time as a decoy. Nothing says they fell for the “Flash update”. ESET is still investigating and we will post our finding as we discover them.
Samples
C&C servers
Payment site: http://caforssztxqzf2nm[.]onion
Inject URL: http://185.149.120[.]3/scholargoogle/
Distribution URL: hxxp://1dnscontrol[.]com/flash_install.php
List of compromised sites:
- hxxp://argumentiru[.]com
- hxxp://www.fontanka[.]ru
- hxxp://grupovo[.]bg
- hxxp://www.sinematurk[.]com
- hxxp://www.aica.co[.]jp
- hxxp://spbvoditel[.]ru
- hxxp://argumenti[.]ru
- hxxp://www.mediaport[.]ua
- hxxp://blog.fontanka[.]ru
- hxxp://an-crimea[.]ru
- hxxp://www.t.ks[.]ua
- hxxp://most-dnepr[.]info hxxp://osvitaportal.com[.]ua hxxp://www.otbrana[.]com
- hxxp://calendar.fontanka[.]ru
- hxxp://www.grupovo[.]bg
- hxxp://www.pensionhotel[.]cz
- hxxp://www.online812[.]ru
- hxxp://www.imer[.]ro
- hxxp://novayagazeta.spb[.]ru
- hxxp://i24.com[.]ua
- hxxp://bg.pensionhotel[.]com
- hxxp://ankerch-crimea[.]ru
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET
Founded in 1992, ESET is a global provider of security software for enterprises and consumers. ESET’s award-winning, antivirus software system, NOD32, provides real-time protection from known and unknown viruses, spyware, rootkits and other malware. ESET NOD32 offers the smallest, fastest and most advanced protection available, with more Virus Bulletin 100 Awards than any other antivirus product. ESET was named to Deloitte’s Technology Fast 500 five years running, and has an extensive partner network, including corporations like Canon, Dell and Microsoft. ESET has offices in Bratislava, SK; Bristol, U.K.; Buenos Aires, AR; Prague, CZ; San Diego, USA; and is represented worldwide in more than 100 countries.