Bad Rabbit: A new ransomware attack

bad rabbit payment site

Yesterday, 24 October 2017, a massive ransomware attack, named Bad Rabbit, has been identified world wide.

 

First data revealed that threat has been spread in particular in Russia, Ukraine, Turkey and Germany, infecting more than 200 victim users.

The speed with which Bad Rabbit spread is similar to the WannaCry and NotPetya outbreaks that have hit in May and June 2017, respectively.

 

Bad Rabbit is part of Malware Ransomware macro-family, threats able to crypt users’ and organizations’ victim data and ask a ransom in BTC (Bitcoin) for decrypting them.

 

Thanks to actual information, it’s possible to think that the target of Bad Rabbit is to infect company networks, like PetrWrap Ransomware (with about 13% source code similarities).

 

Attack Vector

Attack vector used to distribute Bad Rabbit Ransomware is Drive-by channel: visiting legitimate website news, you’ll be redirect to hxxp://1dnscontrol[.]com/flash_install.php so Bad Rabbit could be automatically downloaded.

Once downloaded, ransomware has to be lauched manually from the user to activate it because it looks like Flash Player setup file, named install_flash_player.exe.

 

Activation

In order to run, malware requires administrative privileges on host, in facts, it tries to run command prompt. If command prompt is started, malware can run using runddll32.exe process with the following command:

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat, #1 15.

Once malware is installed, it forces PC reboot and acts like a tipical Ransomware able to crypt file on PC, using RSA-2048 key.

Bad Rabbit uses an open source utility – DiskCryptor (https://diskcryptor.net/wiki/Main_Page), to encrypt Hard Disk of victim users in a secure way.

 

Following file extensions targeted for encryption:

.3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xml, .xvd, .zip

 

Analzing source code, an interesting detail is that there are a lot of references to TV Series Game of Thrones: it looks like the criminals behind this malware are fans

 

Lateral Movement

Bad Rabbit tries to spred and move on network company through dictionary attacks, using SMB protocol; following username/password tried by malware: 

usernames

Administrator

Admin

Guest

User

User1

user-1

Test

root

buh

boss

ftp

rdp

rdpuser

rdpadmin

manager

support

work

other user

operator

backup

asus

ftpuser

ftpadmin

nas

nasuser

nasadmin

superuser

netguest

alex

 

 

 

passwords

Administrator

administrator

Guest

guest

User

user

Admin

adminTest

test

root

123

1234

12345

123456

1234567

12345678

123456789

1234567890

Administrator123

administrator123

Guest123

guest123

User123

user123

Admin123

admin123Test123

test123

password

111111

55555

77777

777

qwe

qwe123

qwe321

qwer

qwert

qwerty

qwerty123

zxc

zxc123

zxc321

zxcv

uiop

123321

321

love

secret

sex

god

 

 

 

Request for Ransom

Like every Ransomware, also Bad Rabbit requires a ransom equal to 0.05 BTC (about $ 280,00) in the following 40 hours, in alternative the BTC amount required will increase.

 

How to defend yourself

You can defend your infrastructure following suggestions above:

  • Limit administrative privileges only to administrative users, in order to avoid ransomware start and execution which tries to start asking highest privileges.
  • Update antivirus signature on the EndPoint

Furter preventions suggestion could be:

  • Create following files C:\Windows\infpub.dat and C:\Windows\cscc.dat  and remove for them all privileges

 

IoC – Indicators Of Compromised

Hash

IOC Type

Value

Install_flash_player.exe

fbbdc39af1139aebba4da004475e8839

Install_flash_player.exe

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

infpub.dat

1d724f95c61f1055f0d02c2154bbccd3 

infpub.dat

579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

dispci.exe

b14d8faf7f0cbcfad051cefe5f39645f 

dispci.exe

8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

cscc.dat (dcrypt.sys)

0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6

Network Activity

caforssztxqzf2nm.onion

http://1dnscontrol[.]com/

Files

C:\Windows\infpub.dat

C:\Windows\System32\Tasks\drogon

C:\Windows\System32\Tasks\rhaegal

C:\Windows\cscc.dat

Windows Services

Display Name

Image Path

Windows Client Side Caching DDriver

cscc.dat