Bad Rabbit: Not-Petya is back with improved ransomware

UPDATE (October 27 – 15:35 CEST): A new report suggested that EternalRomance – one of the leaked NSA tools – has been used to spread Diskcoder.D in the network. We were able to confirm this by installing the out-of-life-cycle patch MS17-010 (a patch addressing vulnerabilities misused by the leaked NSA exploits), which stopped the further spread of the malware via IPC share.

A new ransomware outbreak today and has hit some major infrastructure in Ukraine including Kiev metro. Here are some of the details about this new variant.

Drive-by download via watering hole on popular sites

One of the distribution method of Bad Rabbit is via drive-by download. Some popular websites are compromised and have JavaScript injected in their HTML body or in one of their .js files.

Here is a beautified version of the inject:

This script reports the following to 185.149.120[.]3, which doesn’t seem to respond at the moment.

  • Browser User-Agent
  • Referrer
  • Cookie from the visited site
  • Domain name of the visited site

Server side logic can determine if the visitor is of interest and then add content to the page. In that case, what we have seen is that a popup asking to download an update for Flash Player is shown in the middle of the page.

When clicking on the “Install” button, download of an executable file from 1dnscontrol[.]com is initiated. This executable file, install_flash_player.exe is the dropper for Win32/Diskcoder.D.

Finally the computer is locked and the malware shows the ransom note:

The payment page:

Spreading via SMB

Win32/Diskcoder.D has the ability to spread via SMB. As opposed to some public claims, it does not use the EternalBlue vulnerability like the Win32/Diskcoder.C (Not-Petya) outbreak. First, it scans internal networks for open SMB shares. It looks for the following shares:

  • admin
  • atsvc
  • browser
  • eventlog
  • lsarpc
  • netlogon
  • ntsvcs
  • spoolss
  • samr
  • srvsvc
  • scerpc
  • svcctl
  • wkssvc

Mimikatz is launched on the compromised computer to harvest credentials. A hardcoded list of usernames and passwords is also present.

UsernamesPasswords
AdministratorAdministrator
Adminadministrator
GuestGuest
Userguest
User1User
user-1user
TestAdmin
rootadminTest
buhtest
bossroot
ftp123
rdp1234
rdpuser12345
rdpadmin123456
manager1234567
support12345678
work123456789
other user1234567890
operatorAdministrator123
backupadministrator123
asusGuest123
ftpuserguest123
ftpadminUser123
nasuser123
nasuserAdmin123
nasadminadmin123Test123
superusertest123
netguestpassword
alex111111
55555
77777
777
qwe
qwe123
qwe321
qwer
qwert
qwerty
qwerty123
zxc
zxc123
zxc321
zxcv
uiop
123321
321
love
secret
sex
god

When working credentials are found, the infpub.dat file is dropped into the Windows directory and executed through SCManager and rundll.exe.

Encryption

Win32/Diskcoder.D is modified version of Win32/Diskcoder.C. Bugs in file encryption were fixed. The encryption now uses DiskCryptor, an open source legitimate software used to do full drive encryption. Keys are generated using CryptGenRandom and then protected by a hardcoded RSA 2048 public key.

Like before, AES-128-CBC is used.

Distribution

Interestingly, ESET telemetry shows that Ukraine accounts only for 12.2% of the total number of times we have seen the dropper component Here are the statistics:

  • Russia: 65%
  • Ukraine: 12.2%
  • Bulgaria: 10.2%
  • Turkey: 6.4%
  • Japan: 3.8%
  • Other: 2.4%

This pretty much matches the distribution of compromised websites that include the malicious JavaScript. So why does Ukraine seem to be more hit than the rest?

It’s interesting to note that all these big companies were all hit at the same time. It is possible that the group already had a foot inside their network and launched the watering hole attack at the same time as a decoy. Nothing says they fell for the “Flash update”. ESET is still investigating and we will post our finding as we discover them.

Samples

SHA-1FilenameESET Detection nameDescription
79116fe99f2b421c52ef64097f0f39b815b20907infpub.datWin32/Diskcoder.DDiskcoder
afeee8b4acff87bc469a6f0364a81ae5d60a2adddispci.exeWin32/Diskcoder.DLockscreen
413eba3973a15c1a6429d9f170f3e8287f98c21cWin32/RiskWare.Mimikatz.XMimikatz (32-bits)
16605a4a29a101208457c47ebfde788487be788dWin64/Riskware.Mimikatz.XMimikatz (64-bits)
de5c8d858e6e41da715dca1c019df0bfb92d32c0install_flash_player.exeWin32/Diskcoder.DDropper
4f61e154230a64902ae035434690bf2b96b4e018page-main.jsJS/Agent.NWCJavaScript on compromised sites

C&C servers

Payment site: http://caforssztxqzf2nm[.]onion

Inject URL: http://185.149.120[.]3/scholargoogle/

Distribution URL: hxxp://1dnscontrol[.]com/flash_install.php

List of compromised sites:

  • hxxp://argumentiru[.]com
  • hxxp://www.fontanka[.]ru
  • hxxp://grupovo[.]bg
  • hxxp://www.sinematurk[.]com
  • hxxp://www.aica.co[.]jp
  • hxxp://spbvoditel[.]ru
  • hxxp://argumenti[.]ru
  • hxxp://www.mediaport[.]ua
  • hxxp://blog.fontanka[.]ru
  • hxxp://an-crimea[.]ru
  • hxxp://www.t.ks[.]ua
  • hxxp://most-dnepr[.]info
  • hxxp://osvitaportal.com[.]ua
  • hxxp://www.otbrana[.]com
  • hxxp://calendar.fontanka[.]ru
  • hxxp://www.grupovo[.]bg
  • hxxp://www.pensionhotel[.]cz
  • hxxp://www.online812[.]ru
  • hxxp://www.imer[.]ro
  • hxxp://novayagazeta.spb[.]ru
  • hxxp://i24.com[.]ua
  • hxxp://bg.pensionhotel[.]com
  • hxxp://ankerch-crimea[.]ru

Author , ESET

Follow us

Copyright © 2018 ESET, All Rights Reserved.