Yesterday, 24 October 2017, a massive ransomware attack, named Bad Rabbit, has been identified world wide.
First data revealed that threat has been spread in particular in Russia, Ukraine, Turkey and Germany, infecting more than 200 victim users.
The speed with which Bad Rabbit spread is similar to the WannaCry and NotPetya outbreaks that have hit in May and June 2017, respectively.
Bad Rabbit is part of Malware Ransomware macro-family, threats able to crypt users’ and organizations’ victim data and ask a ransom in BTC (Bitcoin) for decrypting them.
Thanks to actual information, it’s possible to think that the target of Bad Rabbit is to infect company networks, like PetrWrap Ransomware (with about 13% source code similarities).
Attack Vector
Attack vector used to distribute Bad Rabbit Ransomware is Drive-by channel: visiting legitimate website news, you’ll be redirect to hxxp://1dnscontrol[.]com/flash_install.php so Bad Rabbit could be automatically downloaded.
Once downloaded, ransomware has to be lauched manually from the user to activate it because it looks like Flash Player setup file, named install_flash_player.exe.
Activation
In order to run, malware requires administrative privileges on host, in facts, it tries to run command prompt. If command prompt is started, malware can run using runddll32.exe process with the following command:
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat, #1 15.
Once malware is installed, it forces PC reboot and acts like a tipical Ransomware able to crypt file on PC, using RSA-2048 key.
Bad Rabbit uses an open source utility – DiskCryptor (https://diskcryptor.net/wiki/Main_Page), to encrypt Hard Disk of victim users in a secure way.
Following file extensions targeted for encryption:
.3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xml, .xvd, .zip
Analzing source code, an interesting detail is that there are a lot of references to TV Series Game of Thrones: it looks like the criminals behind this malware are fans
Lateral Movement
Bad Rabbit tries to spred and move on network company through dictionary attacks, using SMB protocol; following username/password tried by malware:
usernames | |||
Administrator | Admin | Guest | User |
User1 | user-1 | Test | root |
buh | boss | ftp | rdp |
rdpuser | rdpadmin | manager | support |
work | other user | operator | backup |
asus | ftpuser | ftpadmin | nas |
nasuser | nasadmin | superuser | netguest |
alex |
|
|
|
passwords | |||
Administrator | administrator | Guest | guest |
User | user | Admin | adminTest |
test | root | 123 | 1234 |
12345 | 123456 | 1234567 | 12345678 |
123456789 | 1234567890 | Administrator123 | administrator123 |
Guest123 | guest123 | User123 | user123 |
Admin123 | admin123Test123 | test123 | password |
111111 | 55555 | 77777 | 777 |
qwe | qwe123 | qwe321 | qwer |
qwert | qwerty | qwerty123 | zxc |
zxc123 | zxc321 | zxcv | uiop |
123321 | 321 | love | secret |
sex | god |
|
|
Request for Ransom
Like every Ransomware, also Bad Rabbit requires a ransom equal to 0.05 BTC (about $ 280,00) in the following 40 hours, in alternative the BTC amount required will increase.
How to defend yourself
You can defend your infrastructure following suggestions above:
- Limit administrative privileges only to administrative users, in order to avoid ransomware start and execution which tries to start asking highest privileges.
- Update antivirus signature on the EndPoint
Furter preventions suggestion could be:
- Create following files C:\Windows\infpub.dat and C:\Windows\cscc.dat and remove for them all privileges
IoC – Indicators Of Compromised
Hash | ||
IOC Type | Value | |
Install_flash_player.exe | fbbdc39af1139aebba4da004475e8839 | |
Install_flash_player.exe | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da | |
infpub.dat | 1d724f95c61f1055f0d02c2154bbccd3 | |
infpub.dat | 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 | |
dispci.exe | b14d8faf7f0cbcfad051cefe5f39645f | |
dispci.exe | 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 | |
cscc.dat (dcrypt.sys) | 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 | |
Network Activity | ||
caforssztxqzf2nm.onion | ||
Files | ||
C:\Windows\infpub.dat | ||
C:\Windows\System32\Tasks\drogon | ||
C:\Windows\System32\Tasks\rhaegal | ||
C:\Windows\cscc.dat | ||
Windows Services | ||
Display Name | Image Path | |
Windows Client Side Caching DDriver | cscc.dat | |
You must be logged in to post a comment.