Image Source:http://www.designlync.com/about.html

Image Source http://www.designlync.com/about.html

10.27.2017 UPDATE:  BadRabbit CnC Dormancy

Looks like the Threat Actors caged this “Killer Rabbit” for now.  Most of the servers and sites used by the hackers behind the ransomware appear to be taken out of service for no.[1]

Overview: On October 24, 2017, Bad Rabbit, a ransomware infection, a new variant of Petya, has hit a number of organizations in Russia and Ukraine.  First announced in a tweet, the Russian cybersecurity firm Group-IB said initially three media organizations in the country have been hit by file-encrypting malware. [2]

At the same time, Russian news agency Interfax said its systems have been affected by a “hacker attack”.

“Interfax Group’s servers have come under a hacker attack. The technical department is taking all measures to resume news services. We apologize for inconvenience,” [3]
This new strain of ransomware, actively being used in the wild and code-named “BadRabbit”, disguises itself as an Adobe Flash installer in order to gain the user’s trust.  It reportedly uses EternalBlue and Mimikatz to steal passwords and spread in a “worm-like” fashion.

Once executed, the ransomware modifies the bootloader and encrypts the files on the user’s machine.  After the infection is complete BadRabbit presents the user a UI demanding a Bitcoin ransom payment in order to have the files unlocked.

The malware also has the capability to spread throughout the local network via SMB or limited credential brute force over Windows Management Instrumentation Command-line (WMIC) and PSExec after infecting the user’s machine.

Initial reports indicated the ransomware was targeting multiple Eastern-European countries including Ukraine, Russia, Turkey, and Bulgaria, however, additional reports of the ransomware have surfaced in South Korea, Japan, and the United States. Reports surfaced of attacks to government institutions, news agencies, and transportation organizations. The ransomware is reportedly being delivered through compromised legitimate websites – mainly news and media sites at the time of this writing.

Ukrainian organizations have posted about systems failing: payment systems on the Kiev Metro appear to have fallen victim to the attack, while in a statement on its Facebook page, Odessa International Airport said its information system had been hit by hackers.[4]

“We inform that the information system of the International Airport “Odessa” suffered a hacker attack,” a translation of the post says. [5]

On 24 OCT 2017 – 05:20PM, ESET announced that their telemetry has detected hundreds of occurrences of Diskcoder.D. Most of the detections are in Russia and Ukraine, however, also there are reports of computers in Turkey, Bulgaria and other countries are affected. [6]

Bad Rabbit shares some similarities with Petya – the ransom note looks almost identical and it can also use SMB to propagate across the infected network. However, researchers say much of the code appears to have been rewritten in this case.

GPS Huntmasters

GuidePoint’s Forensic Intelligence Division, GPS Huntmasters, has had the opportunity to analyze a couple variants of the BadRabbit malware/ransomware.  Through this analysis this elite GuidePoint team was able to confirm additional (unannounced) IOCs [7] as well as documenting the software’s [8] behavior within our testing environments.

Technical Overview

BadRabbit has been distributed through malicious websites with fake Adobe Flash updates with popup (decision) boxes that the end user must execute.  After the user clicks on the malicious popup, the ransomware is downloaded (via http/https) to the victim in the form of a malicious windows binary (e.g., install_flash_player.exe). After execution, the file will require the user to accept a Windows User Account Control (UAC) popup granting the malware escalated rights to the system.

Once executed, the malware deploys the ransomware onto the user’s machine completely compromising the end-user.

Image: Group-IB [9]

#_ftn1

The malware drops the file Infpub.dat, which is then executed by a rundll32 command. Infpub.dat will then create the files cscc.dat and dispci.exe within the C:\Windows directory. The file cscc.dat is actually a renamed file from the legitimate DiskCryptor program. These files are used to encrypt the disk and modify the bootloader preventing a normal bootup of Windows. A scheduled task is also created to ensure the dispci.exe file is run at bootup. Upon reboot, the user is presented with the Ransomware message demanding payment.

Landfall: BadRabbit

Although the USA and other western countries were not specifically targeted by this campaign, it is only a matter of time before BadRabbit will make US “Landfall”. In fact, according to cybersecurity and antivirus vendor Avast, BadRabbit has now been detected in the USA [10](2:44 PM – 24 Oct 2017).

Remember, BadRabbit attempts to spread through SMB. [11] It does this with account information stolen from the victim using Mimikatz or by trying an embedded list of common account names and passwords that is hard coded in the actual malware.

GuidePoint Forensic Analysis

On October 24, 2017 GuidePoint’s Forensic Intelligence team obtained and analyzed two samples of BadRabbit. The GuidePoint team has included a summary of our findings that may help future identification and of upcoming variants.

It should be noted that with each variant, file names and hash values may change depending on software variants and Threat Actor activity and strategy.

Analyst Note:  Although the tested samples were done in a forensically pure fashion BadRabbit did exhibit anti-forensic features and file deletion capabilities as noted in some “zero-byte file size” noted during our analysis and testing.

Samples Analyzed

File name: 9y6VPA4OK.exe
File size: 441899
MD5: fbbdc39af1139aebba4da004475e8839
SHA1: de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

File name: infpu.dll
File size: 410760
MD5: 1d724f95c61f1055f0d02c2154bbccd3
SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

File name: 6CQZJL6EH.exe
File size: 142848
MD5: b14d8faf7f0cbcfad051cefe5f39645f
SHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2add
SHA256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Forensic Overview

This malware has multiple elements. Execution starts in the binary file that is responsible for dropping and installing other elements.

During testing, once launched initial malware dropped files and conducted the following;
• Clears the windows event log
• Clears the journal log
• Drops executables to the windows directory (C:\Windows) and starts them
• Shows the ability to spread by using its contained functionality to enumerate network
shares of other (attached) devices
• Uses shutdown.exe to shut down or reboot the system
• Contacts additional CnC servers
• Contains functionality to register a low-level keyboard hook
• Contains functionality to infect the boot sector
• File names are dynamically generated
**NOTE: Dropped files appear to be kernel level key loggers

Sample Analysis: fbbdc39af1139aebba4da004475e8839

Memory Analysis

Analysis of volatile memory (RAM) disclosed that there were URLs that were forensically resident during testing that are attributed to the binaries tested;
hxxp://rb.symcb.com/rb.crl
hxxp://s.symcd.com
hxxp://ts-aia.ws.symantec.com/sha256-tss-ca.cert
hxxp://ts-ocsp.ws.symantec.com
hxxp://ocsp.thawte.com

Noted Binary Activity

Uses schtasks.exe or at.exe to add and modify task schedules
C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal

Contains functionality which may be used to detect a debugger (GetProcessHeap)
GetModuleHandleW,GetModuleFileNameW,GetProcessHeap,RtlAllocateHeap,memcpy,GetProcessHeap,Get
ProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree

CnC Connection Attempts:
23.60.139[.]27

Drops PE Files

Path:  C:\Windows\infpub.dat (zero byte file size)
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: 79116FE99F2B421C52EF64097F0F39B815B20907
SHA-256: 579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648

Binary Startup Activity

Test System is Windows 7 sp1

  • 9y6VPA4OKL.exe (PID: 3424 cmdline: ‘C:\Users\user\Desktop\9y6VPA4OKL.exe’ MD5: FBBDC39AF1139AEBBA4DA004475E8839)
  • rundll32.exe (PID: 3452 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cmd.exe (PID: 3464 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)
  • schtasks.exe (PID: 3484 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • cmd.exe (PID: 3500 cmdline: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR ‘C:\Windows\system32\cmd.exe /C Start \’\’ \’C:\Windows\dispci.exe\’ -id 4038216979 && exit’ MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cmd.exe (PID: 3520 cmdline: /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR ‘C:\Windows\system32\shutdown.exe /r /t 0 /f’ /ST 15:25:00 MD5: AD7B9C14083B52BC532FBA5948342B98)

 cleanup

Windows Behavior

C:\Windows\system32\IMM32.DLL
– read attributes and synchronize and generic read
– read data or list directory and execute or traverse and synchronize

C:\Windows\AppPatch\sysmain.sdb
– read attributes and synchronize and generic read

C:\Windows\system32\apphelp.dll
– read data or list directory and execute or traverse and synchronize

Sample Analysis: 1d724f95c61f1055f0d02c2154bbccd3

Memory Analysis
N/a

Noted Binary Activity

Boot Survival:
Uses schtasks.exe or at.exe to add and modify task schedules
– C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN Rhaegal

Spawns processes
– C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR
‘C:\Windows\system32\shutdown.exe /r /t 0 /f’ /ST
– C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR ‘C:\Windows\system32\cmd.exe /C Start \’\’ \’C:\Windows\dispci.exe\’ -id 2835140717 && exit’
– C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal

Drops PE Files

(Zero byte File Size)
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: B4D371272FE9C5A7C7936D32DEE609019CC24C31
SHA-256: FA6FE917BCB4F9CE5FE03B71F5E4AF392FB63A4DA4E142C691CCAF9042AB4DCE

Binary Startup Activity

 Test System is Windows 7 sp1

  • loaddll32.exe (PID: 3276 cmdline: loaddll32.exe ‘C:\Users\user\Desktop\infpub.dll’ MD5: D2792A55032CFE825F07DCD4BEC5F40F)
  • rundll32.exe (PID: 3284 cmdline: rundll32.exe C:\Users\user\Desktop\infpub.dll,#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cmd.exe (PID: 3296 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)
  • schtasks.exe (PID: 3316 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • cmd.exe (PID: 3328 cmdline: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR ‘C:\Windows\system32\cmd.exe /C Start \’\’ \’C:\Windows\dispci.exe\’ -id 2835140717 && exit’ MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cmd.exe (PID: 3340 cmdline: /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR ‘C:\Windows\system32\shutdown.exe /r /t 0 /f’ /ST 16:03:00 MD5: AD7B9C14083B52BC532FBA5948342B98)

 cleanup

Windows Behavior

N/a

Sample Analysis: b14d8faf7f0cbcfad051cefe5f39645f

Memory Analysis

Analysis of volatile memory (RAM) disclosed that there were URLs that were forensically resident during testing that are attributed to the binaries tested;

hxxp://diskcryptor.net/

Noted Binary Activity

Contains functionality to register a low-level keyboard hook
– SetWindowsHookExW 00000002,Function_00003FC0,00000000,00000000
Contains functionality for read data from the clipboard
Contains functionality to infect the boot sector
Detected the Windows Explorer process (often used for injection)
Connects to many different private IPs via SMB (likely to spread or exploit)

Drops PE Files

This file has been seen in most BadRabbit samples analyzed
C:\Windows\dispci.exe (zero byte file size)
File Type: PE32 executable (console) Intel 80386, for MS Windows
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: AFEEE8B4ACFF87BC469A6F0364A81AE5D60A2ADD
SHA-256: 8EBC97E05C8E1073BDA2EFB6F4D00AD7E789260AFA2C276F0C72740B838A0A93
File name: cscc.dat
File size: 181448
MD5: b4e6d97dafd9224ed9a547d52c26ce02SHA1: 59cd4907a438b8300a467cee1c6fc31135757039SHA256: 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806

Binary Startup Activity

 Test System is Windows 7 sp1

• 6CQZJL6EHc.exe (PID: 3464 cmdline: ‘C:\Users\user\Desktop\6CQZJL6EHc.exe’ MD5: B14D8FAF7F0CBCFAD051CEFE5F39645F)• cmd.exe (PID: 3492 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)• schtasks.exe (PID: 3512 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

 cleanup

Windows Behavior

C:\Windows\Globalization\Sorting\sortdefault.nls
– read attributes and synchronize and generic read
C:\Windows\system32\rsaenh.dll
– read attributes and synchronize and generic read
C:\Windows\system32\IMM32.DLL
– read data or list directory and execute or traverse and synchronize
C:\Windows\cscc.dat
– File attributes queried
– Return Compare (GetFileAttributesW) executed

BadRabbit Vaccine

According to Cyberreason, users can “vaccinate” their computers against BadRabbit. Note: GuidePoint has not tested this “vaccine” and all changes to any systems should be approved by your network administration teams and proper change control procedures should be followed before they are implemented.

An overview of the process contains two primary steps;
1. Create a file “C:\Windows\infpub.dat & C:\Windows\cscc.dat”
2. Go into the each of the files properties and remove all permissions to both files. When doing this, remove the inheritance so the files do not inherit the perms of the C:\Windows folder.

Detailed guide on setting up files with no permissions or a “BadRabbit Vaccine”. https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware

BadRabbit IOCs

GuidePoint has identified additional IOCs during the course of the testing that should be incorporated into organizational defenses. These IOCs are provided below:

IPv4

5.61.37[.]209*
23.60.139[.]27*
23.50.75[.]27*
23.63.139[.]27*
185.149.120[.]3

“*” Not previously identified and discovered by GuidePoint

HASH Values

– de5c8d858e6e41da715dca1c019df0bfb92d32c0
o install_flash_player.exe
– afeee8b4acff87bc469a6f0364a81ae5d60a2add
– fbbdc39af1139aebba4da004475e8839
o Dropper
– 1d724f95c61f1055f0d02c2154bbccd3
o infpub.dat
 the main DLL
– b4e6d97dafd9224ed9a547d52c26ce02
o cscc.dat
 legitimate driver used for the disk encryption (diskcryptor.net)
– b14d8faf7f0cbcfad051cefe5f39645fo dispci.exe
 installs the bootlocker, communicates with the driver (cscc.dat)
– d41d8cd98f00b204e9800998ecf8427e (zero byte file size)

URLs

hxxp://1dnscontrol.com/flash_install.php
1dnscontrol[.]com
an-crimea[.]ru
ankerch-crimea[.]ru
argumenti[.]ru
argumentiru[.]com
bg.pensionhotel[.]com
blog.fontanka[.]ru
calendar.fontanka[.]ru
grupovo[.]bg
i24.com[.]ua
most-dnepr[.]info
novayagazeta.spb[.]ru
osvitaportal.com[.]ua
spbvoditel[.]ru
aica.co[.]jp
fontanka[.]ru
grupovo[.]bg
imer[.]ro
mediaport[.]ua
online812[.]ru
otbrana[.]com
pensionhotel[.]cz
sinematurk[.]com
t.ks[.]ua

Tor Payment URL:- caforssztxqzf2nm[.]onion

Additional References

https://isc.sans.edu/forums/diary/BadRabbit+New+ransomware+wave+hitting+RU+UA/22964/  https://gizmodo.com/bad-rabbit-ransomware-strikes-russia-and-ukraine-1819814538https://twitter.com/lorenzofb/status/922946057318871041 http://blog.talosintelligence.com/2017/10/bad-rabbit.html
https://pastebin.com/01C05L0C
https://app.any.run/tasks/9198fd01-5898-4db9-8188-6ad2ad4f0af3 http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading- warn-researchers/
https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder- ransomware/
https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

Bad Rabbit ransomware

BadRabbit malware


https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/
https://www.us-cert.gov/ncas/current-activity/2017/10/24/Multiple-Ransomware-Infections-Reported

Image Source: http://www.designlync.com/about.html

Cited Resources

[1] https://motherboard.vice.com/en_us/article/d3dp5q/infrastructure-for-the-bad-rabbit-ransomware-appears-to-have-shut-down

[2] http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading-warn-researchers/

[3] http://www.interfax.com/newsinf.asp?id=786280

[4 http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading-warn-researchers/

[5] https://www.facebook.com/odessa.aero/posts/704524863080360

[6] https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/

[7] IOCs were identified exclusively in the GuidePoint vSOC Spot Report; “Bad Rabbit Ransomware”, Update 1, October 25, 2017

[8] Malware is software that is designed to do malicious or unauthorized activity or have unauthorized functionality

[9] https://twitter.com/GroupIB/status/922818401382346752

[10] https://twitter.com/avast_antivirus/status/922941896439291904?ref_src=twsrc%5Etfw&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fsmall-amount-of-bad-rabbit-ransomware-victims-detected-in-the-usa%2F

[11] https://msdn.microsoft.com/en-us/library/windows/desktop/aa365233(v=vs.85).aspx

Author

Bill Corbitt, National Practice Director for Digital Forensics Incident Response & Forensic Intelligence, is a seasoned, results-oriented leader with extensive corporate, federal, and international experience, dealing with cybersecurity, forensic, and Incident Response dilemmas. In addition to his demonstrated success in aligning security results with business requirements, Bill is recognized for his abilities in implementing accurate cyber-countermeasures to protect intellectual property, reduce cybersecurity risk, and protect intellectual property on a global scale. A respected strategist within the forensic and incident response communities, Bill holds a Bachelor of Science degree in Criminal Justice from Valdosta State University.