October 24, 2017
Intel Acquisition Team

Bad Rabbit Ransomware Outbreak in Russia and Ukraine

<h2>Overview</h2><p>On October 24, 2017, security firms and media organization began reporting about an active ransomware campaign that, as of this writing, has primarily targeted entities in Russia and Eastern Europe. The infections are believed to have initiated on October 24 at approximately 12:16 UTC, evidenced by an infected company’s tweet as shown in Figure 1. The ransomware, dubbed “Bad Rabbit,” has infected a number of organizations across Russia and eastern Europe, including the Russian news agency Interfax and machines in the Kiev Metro. The Odessa International airport in Ukraine has also confirmed that it was targeted with a cyber-attack which caused delays in flights, however, it is unclear if this attack is Bad Rabbit. At the time of this writing, the threat actor/group behind this attack is unknown.</p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/IWRbax5VT7KotQXeP7P8"/><br/> <em>Figure 1 - Interfax News stating on Twitter that the servers have failed due to a virus attack</em></p><p>Bad Rabbit is believed to be a variant of the “Diskcoder” ransomware; other sources compare Bad Rabbit to the “Petya/NotPetya/ExPetr” ransomware, and possibly a new variant of Petya. The initial infection vector for the malware is believed to be conducted via compromised Russian websites (drive-by downloads), and a fake Adobe Flash Player installer (Figure 3). Additionally, the ransomware is able to propagate itself through a network via Server Message Block (SMB). If the ransomware infects a machine, the user will be presented with a ransom note with red letters on reboot. Interestingly, this is the same format used for the Petya attacks in June 2017. The actor/group requests 0.05 bitcoins (BTC) (approximately $286.29 USD) for the decryption key. Furthermore, the ransom note depicts a countdown, beginning at 40 hours, that indicates the time a user has to pay the ransom before the price increases.</p><h3>Countries with Bad Rabbit Infections</h3><ul><li><strong>Bulgaria</strong></li><li><strong>Germany</strong></li><li><strong>Russia</strong></li><li><strong>Turkey</strong></li><li><strong>Ukraine</strong></li></ul><h3>Affected Organizations</h3><ul><li><strong>Fontanka.ru</strong></li><li><strong>Interfax News</strong></li><li><strong>Kiev Metro</strong></li><li><strong>Ministry of Infrastructure of Ukraine</strong></li><li><strong>Odessa International Airport</strong></li></ul><h2>Analysis</h2><h3>Infection Vector</h3><p>It appears that the ransomware dropper was delivered by drive-by downloads on a number of compromised legitimate sites. All compromised sites were news and media websites. A pop-up displays that an update for “Adobe Flash” is available, with an install button. The dropper downloads from “http://1dnscontrol[.]com/flash_install.php”. The download is a Windows executable file with a Flash icon, as shown in Figure 2. The dropper is signed with two invalid digital certificates, masquerading as certificates issued by “Symantec Corporation” (Figure 3). Figure 4 shows some details extracted from the sample.</p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/mTHeua9Tr2fWqo89qWmb"/><br/> <em>Figure 2 - Dropper with Flash Icon</em></p><p style="text-align: center;"><em><img alt="" src="https://cdn.filestackcontent.com/NcRacSCETX6l98zD3fEJ"/><br/> Figure 3 - Digital Certificate used on Dropper</em></p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/4Q1ZDlkQsHJCM4kuml0g"/><br/> <em>Figure 4 - Details for Fake Adobe Flash Player Installer</em></p><h3>Ransomware</h3><p>The dropper creates a file called “infpub.dat” in the Windows folder. This file is a DLL file which is executed by the dropper by creating the process <code>“C:WindowsSysWOW64 undll32.exe C:Windowssystem32 undll32.exe C:Windowsinfpub.dat,#1 15”</code>. This DLL performs most of the actions. The ransomware targets and encrypts files with the following file extensions:</p><ul><li>3ds, 7z, accdb, ai, asm, asp, aspx, avhd, back, bak, bmp, brw, c, cab, cc, cer, cfg, conf, cpp, crt, cs, ctl, cxx, dbf, der, dib, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, hpp, hxx, iso, java, jfif, jpe, jpeg, jpg, js, kdbx, key, mail, mdb, msg, nrg, odc, odf, odg, odi, odm, odp, ods, odt, ora, ost, ova, ovf, p12, p7b, p7c, pdf, pem, pfx, php, pmf, png, ppt, pptx, ps1, pst, pvi, py, pyc, pyw, qcow, qcow2, rar, rb, rtf, scm, sln, sql, tar, tib, tif, tiff, vb, vbox, vbs, vcb, vdi, vfd, vhd, vhdx, vmc, vmdk, vmsd, vmtm, vmx, vsdx, vsv, work, xls, xlsx, xml, xvd, zip.</li></ul><p>Once the encryption process is finished, Bad Rabbit drops the decrypter (details from the file are shown in Figure 5) at “C:Windowsdispci.exe” and creates a scheduled task to ensure that the malware is executed when the machine is booted. The added scheduled task is shown in Figure 6. The task is created by the execution of the following command:</p><pre> “C:WindowsSysWOW64schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:Windowssystem32cmd.exe /C Start '' 'C:Windowsdispci.exe' -id 1639747589 &amp;&amp; exit'”.</pre><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/DPfBafiTCejmm7PD0BdQ"/><br/> <em>Figure 5 - Details for the decrypter dropped by the malware</em></p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/njjLlc2USTizMwIVsGKl"/><br/> <em>Figure 6 - Scheduled task for executing the decrypter at startup</em></p><p>The ID is different for each infected machine. The task is named “rhaegal,” which is the name of one of the dragons in the television show Game of Thrones. The decrypter removes the scheduled task once it is started. This can be seen in Figure 7.</p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/SAdqzyxDRIK3WVHOfU42"/><br/> <em>Figure 7 - The beginning of the decrypter’s Main Function</em></p><p>Bad Rabbit will also ensure the machine is restarted approximately 15 minutes after the infection by creating another scheduled task as shown in Figure 8. The task is added by the following command:</p><pre> “C:WindowsSysWOW64cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:Windowssystem32shutdown.exe /r /t 0 /f' /ST 18:03:00.”</pre><p>The timestamp is dependant on when the malware was executed. This task is named “drogon,” which is also the name of one of the dragons in Game of Thrones.</p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/PDCdsB1uSD2mnZrvZwlK"/><br/> <em>Figure 8 - Scheduled task for restarting the machine</em></p><h3>Ransom Website</h3><p>The ransom website is hosted on an “.onion” domain, specifically “caforssztxqzf2nm[.]onion,” and can only be accessed via the Tor network. It shows a colorful animation of text “decrypting” (Figure 9) which reveals instructions for a victim to enter their personal installation code given in the ransom note. After following instructions the victim will then be assigned a bitcoin wallet address to deposit the ransom money for the actors. The assigned address is also used to verify that the payment has been made and to receive a decryption password according to the instructions (Figure 10). The website was prepared at least a few days in advance of the attack because the “Last Modified” property of the “index.html” page of the hidden service is at Thursday, October 19, as shown in Figure 11.</p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/mTRiPzWRBi0d9WzJJrfL"/><br/> <em>Figure 9 - Fake text decryption animation</em></p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/uDMtTzzYRnqnK3ucGEai"/><br/> <em>Figure 10 - Bad Rabbit ransom payment hidden service</em></p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/DEiTHvhOTXtnJPikwILg"/><br/> <em>Figure 11 - Last Modified property of the index.html file of the hidden service</em></p><h3>Lateral Movement</h3><p>Bad Rabbit uses DHCP to find other machines on the same subnet (Figure 12). For each IP address on the network the malware checks if the host either has port 445 or 139 open (Figure 13) by opening a network socket to the port.</p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/OeIjocG8SFy5rPUYwxMX"/><br/> <em>Figure 12 - Bad Rabbit uses DHCP to enumerate machines on the subnet</em></p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/9Hk8Bc3fSWClhmxWzFzI"/><br/> <em>Figure 13 - Port checking by opening sockets to port 445 and 139</em></p><p>If the ports are open, Bad Rabbit will try to authenticate to the machine over SMBv1 (Figure 14) using usernames and passwords it extracted from the host using “Mimikatz” and using a list of hardcoded usernames and passwords (Figure 15). Using the credentials, it tries to connect to a set of named pipes (Figure 16) and upload a file named “cscc.dat” (Figure 17). The file is executed on the remote host using IPC by calling the “svcctl” service.</p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/IK1TQ5PQFWJGgjN7EmUW"/><br/> <em>Figure 14 - SMBv1 request</em></p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/qvDsl0XxQRy3FRA6Lm6A"/><br/> <em>Figure 15 -</em><em>Hard coded</em><em> username and password combinations</em></p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/k8yWLfc5RBap8C980wfI"/><br/> <em>Figure 16 - Hard coded list of named pipes the malware tries to access</em></p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/NGtAdYegSEqRQbrOdE7S"/><br/> <em>Figure 17 - Writing the file to the ADMIN$ share and uses $IPC to run it</em></p><h3>Similarity to ExPetr (NotPetya)</h3><p>Bad Rabbit shares many similarities with the “ExPetr” malware that spread throughout Europe and primarily in Ukraine in late June 2017. Approximately 27% of the code in the loader of Bad Rabbit is shared with ExPetr and the Bad Rabbit payload has approximately 13% code reuse with ExPetr according to an Intezer report. The Bad Rabbit ransomware drops a file “infpub.dat,” to “C:/Windows/,” which is similar to the “perfc.dat” file dropped by ExPetr. According to Group-IB researchers, the same “vaccine” technique used to block ExPetr can also be used for Bad Rabbit to prevent the victim from getting their files encrypted, which involves creating the .dat file manually and setting to read only.</p><h2>Conclusion</h2><p>At the time of this writing, responders and researchers are still examining the Bad Rabbit attack. Anomali researchers will continue to stay engaged and post updates accordingly.</p><p>We have now added a set of Bad Rabbit-specific threat indicators to the Anomali Limo intelligence feed. Limo is a collection of free threat intelligence feeds that supports STIX and TAXII. <a href="https://www.anomali.com/community/limo">Get more information</a>.</p><p>You may be familiar with STAXX - our free client for subscribing to any STIX/TAXII threat intelligence source. STAXX now integrates the Limo feed out-of-the-box - giving you instant access to Petya indicators, and many more. <a href="https://www.anomali.com/community/staxx">Download STAXX free</a>.</p><p>Stay up to date with the latest threats by subscribing to our free Weekly Threat Briefing. <a href="https://www.anomali.com/community/weekly-threat-briefing">Subscribe now</a>.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.