On October 24, a large-scale ransomware campaign spread across Europe, in campaigns closely mimicking the NotPetya attacks from earlier this year.
Just as was the case with NotPetya, the sample appeared to spread through traditional methods of making SMB connections within a corporate environment, such as using local administrative shares and a predefined list of user accounts and passwords.
File Size : 142,848
MD5 : b14d8faf7f0cbcfad051cefe5f39645f
SHA1 : afeee8b4acff87bc469a6f0364a81ae5d60a2add
SHA256 : 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
Fuzzy : 3072:1keK/MwGT0834YW3pvyh8fcl/iL62iL6KK:Sn/MZd4YW3pvyxl/ini
Magic : PE32 executable for MS Windows (console) Intel 80386 32-bit
Import Hash : 94f57453c539227031b918edd52fc7f1
Compiled Time : Sun Oct 22 02:33:09 2017 UTC
PE Sections (5) : Name Size MD5
.text 72,192 0fa851de532b3dd96e1578a1fe912cea
.rdata 16,896 e69552feb958791e5d7283cd1e9f0b0b
.data 6,656 dc53a4c1670b55450713e13adc573c51
.rsrc 39,936 538045e89d3956ece75779bbffedb57f
.reloc 6,144 664441acad88cda5370381c965d187ab
Analysis is forthcoming, but initial views show that it is a variant of the NotPetya sample. It is not known yet if there is actual code re-use or if simply the tactics and strings were copied from analyzed versions of NotPetya. Just as NotPetya dropped a file named perfc.dat, and called it by an export ordinal value, this Bad Rabbit will drop a similar file named infpub.dat and call it using an almost identical method.
For instance, in the screenshot below, one routine from this initial Bad Rabbit is compared to the respective routine in NotPetya, with Bad Rabbit displayed on the right. There are very striking similarities in code, but also large differences. Notably, there is also a very basic attempt at obfuscation by using a Unicode stack string that resolves to “shutdown /r /t 0”.
The malware also has the ability to clear Windows event logs by using the Windows wevtutil command. This is seen in action as:
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
One major change seen in this malware, when being compared to NotPetya, is that the core Petya code is no longer present. Instead, the sample will drop the encryption system driver from the known legitimate DiskCryptor application. This sample will drop the encryption driver onto the local system as cscc.dat and then leverage it to perform disk encryption.
The final payment screen, shown over TOR, is insignificant to analysis but does highlight the added effort that adversaries place on making notable brands of malware:
Indicators of Compromise (IOCs)
Carbon Black products are effective against this attack in multiple ways.
The recommended policy for Cb Defense at a minimum is to block all types of malware from executing (Known, Suspect, and PUP) as well as delay execute for cloud scan to get maximum benefit from Carbon Black’s CDC reputation service. Additional rules to prevent unknown application types from reading process memory, or unknown applications from launching a command interpreter, will help contain threats capable of spreading via credential theft and lateral movement.
The most effective way of blocking this malware is by running Cb Protection in High or Medium enforcement. Cb Protection users can also create custom rules to detect or block the files written by this malware. As always, our best practice recommendation is to create all custom rules in “Report” mode first and assess for false positives. After confirming no false positives in your environment, you can then change to Block.
Rule Type: File Integrity Control
Write Action: Report
Path or File: C:\windows\infpub.dat
In Cb Response, a new threat report has been pushed out via the Advanced Threat feed. Customers who have this feed enabled and configured to alert will detect this ransomware campaign. The threat report consists of the following process search query:
filemod:C:\windows\infpub.dat OR filemod:C:\windows\cscc.dat OR filemod:C:\windows\dispci.exe
Threat feeds will detect the known hashes for this malware. Customers can blacklist known MD5 hashes, the most prominent of which are located in the IOCs section of this report above.
In addition, since this malware uses many common tactics, we already have detection for these in our first-party threat feeds:
- Unusual RunDll Child Scheduled Tasks (Advanced Threats)
- Rundll32 Child Clearing Event Logs (Cb Community)
- Windows Event Command Line Utility Use (Suspicious Indicators)
Possible mitigations include not only patching the known exploit, MS17-010, but also using Group Policy to disable local admin shares on systems.
For more information about the rise of ransomware, and what you can do about Bad Rabbit, check out the Ransomware Epidemic: Stop Bad Rabbit In Its Tracks webcast hosted by Rick McElory, Security Strategist at Carbon Black.