Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues.
On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape.
There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.
Talos assesses with high confidence that a fake Flash Player update is being delivered via a drive-by-download and compromising systems. The sites that were seen redirecting to BadRabbit were a variety of sites that are based in Russia, Bulgaria, and Turkey.
When users visited one of the compromised websites, they were redirected to 1dnscontrol[.]com, the site which was hosting the malicious file. Before the actual malicious file was downloaded a POST request was observed to a static IP address (185.149.120[.]3). This request was found to be posting to a static path of “/scholasgoogle” and provided the user agent, referring site, cookie, and domain name of the session. After the POST the dropper was downloaded from two different paths from 1dnscontrol[.]com, /index.php and /flash_install.php. Despite two paths being utilized only a single file was downloaded. Based on current information, the malware appears to have been active for approximately six hours before the server 1dnscontrol[.]com was taken down. The initial download was observed around 2017-10-24 08:22 UTC.
The dropper (630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da) requires a user to facilitate the infection and does not use any exploit to compromise the system directly. This dropper contains the BadRabbit ransomware. Once installed there is an SMB component used for lateral movement and further infection. This appears to use a combination of an included list of weak credentials and a version of mimikatz similar to that which was used in Nyetya. Below is a list of the username/password combinations that we have observed. Note there is overlap with the 1995 cult classic “Hackers”.
|Observed Password List|
Despite initial reports, we currently have no evidence that the EternalBlue exploit is being utilized to spread the infection. However, our research continues and we will update as we learn more.
The malware contains a dropper which is responsible for extracting and executing the worm payload. This payload contains additional binaries stored in the resources (compressed with zlib):
- legitimate binaries associated with DiskCryptor (2 drivers x86/x64 and 1 client);
- 2 mimikatz-like binaries (x86/x64) similar to the sample seen during Nyetya. A popular open source tool used for recovery of user credentials from computer memory using several different techniques.
It drops files into the C:\Windows\ directory. The mimikatz-like binaries are executed using the same technique that was leveraged in the Nyetya campaign. The communication between the payload and the stealer will be performed by a named pipe, for example:
The malware then uses RunDLL32.exe to execute the malware and continue the malicious operations. The malware then creates a scheduled task with the parameters shown in the screenshot below:
In addition to the aforementioned scheduled task, the malware creates a second scheduled task that is responsible for rebooting the system. This second task does not occur instantaneously but is scheduled to occur later.
If the names for these scheduled tasks look familiar they appear to be a reference to Game of Thrones, specifically they match the names of the dragons. The malware also creates a file on the infected user’s desktop called DECRYPT. Executing this file causes the following ransom note to be displayed to victims.
To demonstrate how quickly these sorts of threats can propagate globally, the below graphic reflects the DNS related activity associated with one of the domains that were being used to distribute the fake Adobe Flash update that was used to drop the malware on victims’ systems.
The malware modifies the Master Boot Record (MBR) of the infected system’s hard drive to redirect the boot process into the malware authors code for the purposes of displaying a ransom note. The ransom note that is displayed following the system reboot is below, and is very similar to the ransom notes displayed by other ransomware variants, namely Petya, that we have observed in other notable attacks this year.
This is the payment page from the TOR site:
This is yet another example of how effective ransomware can be delivered leveraging secondary propagation methods such as SMB to proliferate. In this example the initial vector wasn’t a sophisticated supply chain attack. Instead it was a basic drive-by-download leveraging compromised websites. This is quickly becoming the new normal for the threat landscape. Threats spreading quickly, for a short window, to inflict maximum damage. Ransomware is the threat of choice for both its monetary gain as well as destructive nature. As long as there is money to be made or destruction to be had these threats are going to continue.
This threat also amplifies another key area that needs to be addressed, user education. In this attack the user needs to facilitate the initial infection. If a user doesn’t help the process along by installing the flash update it would be benign and not wreak the devastation it has across the region. Once a user facilitates the initial infection the malware leverages existing methods, such as SMB, to propagate around the network without user interaction.
Indicators of Compromise
- 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 C:\Windows\dispci.exe (diskcryptor client)
- 682ADCB55FE4649F7B22505A54A9DBC454B4090FC2BB84AF7DB5B0908F3B7806 C:\Windows\cscc.dat (x32 diskcryptor drv)
- 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 C:\Windows\cscc.dat (x64 diskcryptor drv)
- 579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648 C:\Windows\infpub.dat
- 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 (mimikatz-like x86)
- 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c (mimikat-like x64)
Scheduled Tasks names