On October 24, 2017, security firms and media organization began reporting about an active ransomware campaign that, as of this writing, has primarily targeted entities in Russia and Eastern Europe. The infections are believed to have initiated on October 24 at approximately 12:16 UTC, evidenced by an infected company’s tweet as shown in Figure 1. The ransomware, dubbed “Bad Rabbit,” has infected a number of organizations across Russia and eastern Europe, including the Russian news agency Interfax and machines in the Kiev Metro. The Odessa International airport in Ukraine has also confirmed that it was targeted with a cyber-attack which caused delays in flights, however, it is unclear if this attack is Bad Rabbit. At the time of this writing, the threat actor/group behind this attack is unknown.
Figure 1 - Interfax News stating on Twitter that the servers have failed due to a virus attack
Bad Rabbit is believed to be a variant of the “Diskcoder” ransomware; other sources compare Bad Rabbit to the “Petya/NotPetya/ExPetr” ransomware, and possibly a new variant of Petya. The initial infection vector for the malware is believed to be conducted via compromised Russian websites (drive-by downloads), and a fake Adobe Flash Player installer (Figure 3). Additionally, the ransomware is able to propagate itself through a network via Server Message Block (SMB). If the ransomware infects a machine, the user will be presented with a ransom note with red letters on reboot. Interestingly, this is the same format used for the Petya attacks in June 2017. The actor/group requests 0.05 bitcoins (BTC) (approximately $286.29 USD) for the decryption key. Furthermore, the ransom note depicts a countdown, beginning at 40 hours, that indicates the time a user has to pay the ransom before the price increases.
Countries with Bad Rabbit Infections
- Interfax News
- Kiev Metro
- Ministry of Infrastructure of Ukraine
- Odessa International Airport
It appears that the ransomware dropper was delivered by drive-by downloads on a number of compromised legitimate sites. All compromised sites were news and media websites. A pop-up displays that an update for “Adobe Flash” is available, with an install button. The dropper downloads from “http://1dnscontrol[.]com/flash_install.php”. The download is a Windows executable file with a Flash icon, as shown in Figure 2. The dropper is signed with two invalid digital certificates, masquerading as certificates issued by “Symantec Corporation” (Figure 3). Figure 4 shows some details extracted from the sample.
Figure 2 - Dropper with Flash Icon
Figure 3 - Digital Certificate used on Dropper
Figure 4 - Details for Fake Adobe Flash Player Installer
The dropper creates a file called “infpub.dat” in the Windows folder. This file is a DLL file which is executed by the dropper by creating the process
undll32.exe C:Windowsinfpub.dat,#1 15”. This DLL performs most of the actions. The ransomware targets and encrypts files with the following file extensions:
- 3ds, 7z, accdb, ai, asm, asp, aspx, avhd, back, bak, bmp, brw, c, cab, cc, cer, cfg, conf, cpp, crt, cs, ctl, cxx, dbf, der, dib, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, hpp, hxx, iso, java, jfif, jpe, jpeg, jpg, js, kdbx, key, mail, mdb, msg, nrg, odc, odf, odg, odi, odm, odp, ods, odt, ora, ost, ova, ovf, p12, p7b, p7c, pdf, pem, pfx, php, pmf, png, ppt, pptx, ps1, pst, pvi, py, pyc, pyw, qcow, qcow2, rar, rb, rtf, scm, sln, sql, tar, tib, tif, tiff, vb, vbox, vbs, vcb, vdi, vfd, vhd, vhdx, vmc, vmdk, vmsd, vmtm, vmx, vsdx, vsv, work, xls, xlsx, xml, xvd, zip.
Once the encryption process is finished, Bad Rabbit drops the decrypter (details from the file are shown in Figure 5) at “C:Windowsdispci.exe” and creates a scheduled task to ensure that the malware is executed when the machine is booted. The added scheduled task is shown in Figure 6. The task is created by the execution of the following command:
“C:WindowsSysWOW64schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:Windowssystem32cmd.exe /C Start '' 'C:Windowsdispci.exe' -id 1639747589 && exit'”.
Figure 5 - Details for the decrypter dropped by the malware
Figure 6 - Scheduled task for executing the decrypter at startup
The ID is different for each infected machine. The task is named “rhaegal,” which is the name of one of the dragons in the television show Game of Thrones. The decrypter removes the scheduled task once it is started. This can be seen in Figure 7.
Figure 7 - The beginning of the decrypter’s Main Function
Bad Rabbit will also ensure the machine is restarted approximately 15 minutes after the infection by creating another scheduled task as shown in Figure 8. The task is added by the following command:
“C:WindowsSysWOW64cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:Windowssystem32shutdown.exe /r /t 0 /f' /ST 18:03:00.”
The timestamp is dependant on when the malware was executed. This task is named “drogon,” which is also the name of one of the dragons in Game of Thrones.
Figure 8 - Scheduled task for restarting the machine
The ransom website is hosted on an “.onion” domain, specifically “caforssztxqzf2nm[.]onion,” and can only be accessed via the Tor network. It shows a colorful animation of text “decrypting” (Figure 9) which reveals instructions for a victim to enter their personal installation code given in the ransom note. After following instructions the victim will then be assigned a bitcoin wallet address to deposit the ransom money for the actors. The assigned address is also used to verify that the payment has been made and to receive a decryption password according to the instructions (Figure 10). The website was prepared at least a few days in advance of the attack because the “Last Modified” property of the “index.html” page of the hidden service is at Thursday, October 19, as shown in Figure 11.
Figure 9 - Fake text decryption animation
Figure 10 - Bad Rabbit ransom payment hidden service
Figure 11 - Last Modified property of the index.html file of the hidden service
Bad Rabbit uses DHCP to find other machines on the same subnet (Figure 12). For each IP address on the network the malware checks if the host either has port 445 or 139 open (Figure 13) by opening a network socket to the port.
Figure 12 - Bad Rabbit uses DHCP to enumerate machines on the subnet
Figure 13 - Port checking by opening sockets to port 445 and 139
If the ports are open, Bad Rabbit will try to authenticate to the machine over SMBv1 (Figure 14) using usernames and passwords it extracted from the host using “Mimikatz” and using a list of hardcoded usernames and passwords (Figure 15). Using the credentials, it tries to connect to a set of named pipes (Figure 16) and upload a file named “cscc.dat” (Figure 17). The file is executed on the remote host using IPC by calling the “svcctl” service.
Figure 14 - SMBv1 request
Figure 15 -Hard coded username and password combinations
Figure 16 - Hard coded list of named pipes the malware tries to access
Figure 17 - Writing the file to the ADMIN$ share and uses $IPC to run it
Similarity to ExPetr (NotPetya)
Bad Rabbit shares many similarities with the “ExPetr” malware that spread throughout Europe and primarily in Ukraine in late June 2017. Approximately 27% of the code in the loader of Bad Rabbit is shared with ExPetr and the Bad Rabbit payload has approximately 13% code reuse with ExPetr according to an Intezer report. The Bad Rabbit ransomware drops a file “infpub.dat,” to “C:/Windows/,” which is similar to the “perfc.dat” file dropped by ExPetr. According to Group-IB researchers, the same “vaccine” technique used to block ExPetr can also be used for Bad Rabbit to prevent the victim from getting their files encrypted, which involves creating the .dat file manually and setting to read only.
At the time of this writing, responders and researchers are still examining the Bad Rabbit attack. Anomali researchers will continue to stay engaged and post updates accordingly.
We have now added a set of Bad Rabbit-specific threat indicators to the Anomali Limo intelligence feed. Limo is a collection of free threat intelligence feeds that supports STIX and TAXII. Get more information.
You may be familiar with STAXX - our free client for subscribing to any STIX/TAXII threat intelligence source. STAXX now integrates the Limo feed out-of-the-box - giving you instant access to Petya indicators, and many more. Download STAXX free.
Stay up to date with the latest threats by subscribing to our free Weekly Threat Briefing. Subscribe now.