Updated on October 24, 2017, 9:52 PM PDT to add more technical information
Updated on October 24, 2017, 11:34 PM PDT to add the infection chain
Updated on October 25, 2017, 10:23 PM PDT to update the infection chain
Updated on October 26, 2017, 4:45 AM PDT to update information regarding propagation
Updated on October 26, 2017, 5:45 PM PDT to correct the SMB vulnerability used
Updated on October 30, 2017, 8:34 AM PDT to update the custom exploit of EternalSynergy
Updated on November 3, 2017, 7:49PM PDT to update technical details on MBR encryption
An ongoing ransomware campaign is hitting Eastern European countries with what seems to be a variant of the Petya ransomware dubbed Bad Rabbit (which we detect as RANSOM_BADRABBIT.A). Trend Micro XGen™ security products with machine learning enabled can proactively detect this ransomware as TROJ.Win32.TRX.XXPE002FF019 without the need for a pattern update. The attack comes a few months after the previous Petya outbreak, which struck European countries back in June.
Initial reports peg the main casualties as transport systems and media outlets in Ukraine and Russia. The Ukranian arm of CERT (CERT-UA) has also issued an advisory warning of further potential ransomware attacks.
Initial Analysis
Figure 1: Bad Rabbit Infection Chain
Our initial analysis found that Bad Rabbit spreads via watering hole attacks that lead to a fake Flash installer “install_flash_player.exe”. Compromised sites are injected with a script that contains a URL that resolves to hxxp://1dnscontrol[.]com/flash_install, which is inaccessible as of the time of publication. We’ve observed some compromised sites from Bulgaria, Estonia, Germany, Hungary, Japan, Slovakia, Ukraine, and Russia used to deliver the fake Flash installer. These sites were visited by users in Japan, Turkey, and Russia, among others.
Figure 2: Code showing the injected script
Once the fake installer is clicked, it will drop the encryptor file infpub.dat using the rundll32.exe process, along with the decryptor file dispci.exe. As part of its routine, Bad Rabbit uses a trio of files referencing the show Game of Thrones, starting with rhaegal.job, which is responsible for executing the decryptor file, as well as a second job file, drogon.job, that is responsible for shutting down the victim’s machine. The ransomware will then proceed to encrypt files in the system and display the ransom note shown above.
Figure 3: Bad Rabbit ransom note showing the installation key
A third file, viserion_23.job, reboots the target system a second time. The system’s MBR is then encrypted and the following note displayed:
Figure 4: Bad Rabbit ransom note displayed after system reboot
Based on our initial analysis, Bad Rabbit spreads to other computers in the network by dropping copies of itself in the network using its original name and executing the dropped copies using Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. When the Service Control Manager Remote Protocol is used, it uses dictionary attacks for the credentials.
Among the tools Bad Rabbit reportedly incorporates is the open-source utility Mimikatz, which it uses for credential extraction. We also found evidence of it using DiskCryptor, a legitimate disk encryption tool, to encrypt the target systems.
Bad Rabbit also spreads via the SMB file sharing protocol. It attempts to brute force any administrative shares it finds; if successful it drops a copy of itself into these shares. If these bruteforce attacks fails, it uses an exploit targeting the EternalRomance SMB vulnerability resolved in MS17-010. These vulnerabilities were patched in March of this year.
Custom Exploit
EternalSynergy as well as the other exploits released by the Shadow Brokers, are very versatile in that the same techniques can be applied to different exploits. EternalRomance, EternalChampion, and EternalSynergy, for instance, share common exploit methods. In the case of Bad Rabbit, the exploit’s memory leak uses the same technique as the original EternalSynergy and EternalChampion exploits publicly released by the original Shadow Brokers.
We surmise that the exploit used in Bad Rabbit is a customized version of EternalSynergy, at it shares the same Memory Leak technique that EternalSynergy uses. It is the first of the two main stages involved in Bad Rabbit, as shown below:
Figure 5: Code snippets showing Bad Rabbit’s exploit (left) and the actual EternalSynergy from Shadow Brokers (right) using the same memory leak technique
Mitigation and Best Practices
Users can mitigate the impact of ransomware such as Bad Rabbit with the best practices found in this guide.
Trend Micro Solutions
Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally identifiable data. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense. Further information about Trend Micro solutions can be found in this article.
The following SHA256 hashes are detected as RANSOM_BADRABBIT.A:
- 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
- 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
Additional hashes related to this ransomware:
install_flash_player.exe:
- 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
infpub.dat:
- 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
- 141d45d650580ed4b0d0fc4b8fd5448da67b30afbe07781da02c39d345a8f4a0
dispci.exe:
- 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93