Down the Bad Rabbit Hole

Down the Bad Rabbit Hole

Update 2017-10-27 1:30pm EDT: Multiple researchers are reporting an exploit in the BadRabbit sample that is largely based on the EternalRomance exploit published in the ShadowBrokers leak.

On October 24, 2017, STEALTHbits was alerted to a ransomware campaign spreading across Eastern Europe and Russia. There are reports that the infection is leveraging the EternalBlue, the exploit generally believed to be developed by the U.S. National Security Agency (NSA), however there is no evidence to support those claims. Bad Rabbit does however appear to be related to the Nyetya ransomware variant that appeared earlier this year.

How Bad Rabbit Operates

Bad Rabbit OperatesThe origins of the infections have been traced to a fake Flash Player being delivered via a drive-by-download and compromising systems. This means that users have to interact with the malware and actually execute the payload themselves this infection does not use any exploit to compromise the system directly. Once infected the malware takes the following actions:

  • Attempt to spread via SMB by scanning for internal open shares.
  • Launches Mimikatz on the compromised computer to harvest credentials. A hardcoded list username and password is also present.
  • DiskCryptor, a legitimate open source software used to do full drive encryption is then used encrypt files using CryptGenRandom and then protected by a hardcoded RSA 2048 public key. Encrypted files have extension .encrypted.
  • Two scheduled task are created, one to execute dispci.exe as well as a task to reboot the infected machine at a later time.
  • The Master Boot Record (MBR) is altered to redirect the boot process into the malware authors code to display a ransom note.

Interactive analysis of Bad Rabbit: https://app.any.run/tasks/9198fd01-5898-4db9-8188-6ad2ad4f0af3

Associated files:

SHA-1FilenameDescription
79116fe99f2b421c52ef64097f0f39b815b20907infpub.datDiskcoder
afeee8b4acff87bc469a6f0364a81ae5d60a2adddispci.exeLockscreen
413eba3973a15c1a6429d9f170f3e8287f98c21cMimikatz (32-bits)
16605a4a29a101208457c47ebfde788487be788dMimikatz (64-bits)
de5c8d858e6e41da715dca1c019df0bfb92d32c0install_flash_player.exeDropper
4f61e154230a64902ae035434690bf2b96b4e018page-main.jsJavaScript on compromised sites

Conclusions and Protections

Whether it’s possible to get back files encrypted by Bad Rabbit (either by paying the ransom an available decryptor) isn’t yet known. The bitcoin wallets of the attackers only have a combined 3 transactions at the time of this writing

( 1GxXGMoz7HAVwRDZd7ezkKipY4DHLUqzmM | 17GhezAiRhgB8DGArZXBkrZBFTGCC9SQ2 ).

There are several actions that you can take to protect your environment:

  • Create a kill switch by creating C:\windows\infpub.dat as a read-only file. Should a machine become infected this will short circuit the encryption process.
  • Restrict Scheduled Tasks: viserion_, rhaegal, drogon
  • Restrict local admin access to workstations
  • Eliminate, reduce or lockdown open shares

STEALTHbits customers should take the following actions:

  • Check the local admin report to see which machines have privileges to execute the payload locally and where possible revoke those privileges
  • Check the open shares report to see areas of the network that can be used to spread the infection
  • StealthINTERCEPT customers should enable Horizontal Movement Analytics as well as monitor and preferably block privilege escalation activities.

Beyond the loss of data to ransomware we at STEALTHbits have our concerns whenever we observe malware harvesting credentials and leveraging tools such as Mimikatz to widen its reach. If you are a regular follower of our blogs you know that we have extensively covered the damage that can be done with Mimikatz and similar tools.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.