BadRabbit ransomware hits targets within Eastern Europe
As you may have seen in the news, a new ransomware outbreak named BadRabbit reached Eastern Europe this week. Several organisations such as the Kiev Metro and Russian media outlets have been affected by this, with first infections appearing on 24 October 2017. It appears to be mainly spreading through Russia, Ukraine, Bulgaria and Turkey, with research undertaken by NCC Group and other cyber experts showing that there are many similarities between BadRabbit and the NotPetya outbreak in June 2017. This blog will describe the details of what is currently known about the outbreak.
When the victim manually starts install_flash_player.exe, it creates the file C:\Windows\infpub.dat, which is then started using rundll32. The naming is similar to NotPetya. Back then the file was called perfc.dat.
The overall actions performed by infpub.dat is as follows:
- A copy of DiskCryptor dcrypt.sys driver is installed in C:\Windows\cscc.dat and installed as a Windows service called “Windows Client Side Caching DDriver”. A 32bit and 64bit version are included, and installed according to the system architecture.
- The malicious executable dispci.exe is installed in C:\Windows. This executable, in combination with the cscc.dat driver, is responsible for the disk encryption and ransom screen.
- A scheduled task called “rhaegal” (appears to be a reference to the Game of Thrones series) is created that launches the dispci.exe when the user logs on to the computer.
- Another scheduled task called “drogon” is created to shut down the computer.
- Password acquiring happens in a similar manner like NotPetya, with the use of “Mimikatz” (a tool for gathering passwords from Windows systems, for example from memory). Additionally, a list of common used usernames and passwords is also utilized.
- The local network is scanned and infected in a similar manner to NotPetya.
- Regular file encryption happens in a similar manner to NotPetya.
Comparison against the earlier NotPetya outbreak
This variant shares a lot of similarities with NotPetya. The overall program structure is similar, and many of the same actions are performed. The main differences are in the encryption, spreading and payment process.
Differences in spreading
All of the scanning methods are the same as NotPetya. The main difference is in how this variant executes its payload on the target system. NotPetya had 3 methods: PSEXEC, WMIC and using the EternalBlue exploit. This variant appears to have three methods as well, although PSEXEC and EternalBlue are no longer present in this variant. The methods for this variant include WMIC, Remote Service creation and another method involving manually crafted SMB packets. At this time, it appears this latter method attempts to create a service as well, but uses a predefined list of common usernames and passwords for authentication, as well as attempting to use multiple different shares.
Differences in encryption
The individual file encryption routine as it existed in NotPetya is still present. The main difference is that this variant no longer makes use of MBR code to encrypt the MFT. Instead, it now seems to use DiskCryptor to encrypt the disk. The dispci.exe executable is responsible for the encryption process, while cscc.dat is the DiskCryptor driver. The dispci.exe executable is also responsible for writing the custom bootloader to disk, which in turn displays the ransom screen at boot.
Differences in payment
The NotPetya outbreak in June 2017 used a single email address for payment, which was quickly disabled. This variant seems to use a Tor-based payment page, which is more common for ransomware. When the key from the ransom note is submitted on the website, the victim is given a unique Bitcoin address to send their payment to.
Just as with any other ransomware infection, it’s not advisable to pay the ransom. There is no guarantee that the attacker will actually give you the decryption key for your files.
To detect an active infection in the network one of the following IOC’s can be used:
Payment site: caforssztxqzf2nm.onion
Inject URL: 220.127.116.11/scholargoogle/
Distribution URL: 1dnscontrol.com/flash_install.php
IP of 1dnscontrol.com at the time the attack was active: 18.104.22.168
The malware also attempts to access the IPC$ share over SMB, which also be useful as an indicator of compromise. Attempts of running rundll32.exe using WMIC, or installing a new service with rundll32.exe as the executable is also a good indicator.
NCC Group’s Network Threat Monitoring (NTM) sensors currently detect all used spreading methods, also before the outbreak.
Just like with NotPetya, it’s possible to preemptively stop the spreading of this specific ransomware variant by creating some files in the C:\Windows directory. Specifically the “infpub.dat” and “cscc.dat” file, when created with read-only flags are reportedly sufficient to stop the spreading. Please note that this is no fool-proof method, since just like NotPetya, this variant uses the executable name for spreading. It just so happens that infpub.dat is the hardcoded name given by the install_flash_player.exe dropper.
- 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da – install_flash_player.exe – Dropper
- 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 – infpub.dat – Main executable. Spreader and file crypter
- 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806 – cscc.dat – DiskCryptor driver (32bit)
- 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 – cscc.dat – DiskCryptor driver (64bit)
- 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 – dispci.exe – Disk encryption module, communicates with DiskCryptor driver and writes the custom bootloader to disk, which in turn displays the ransom screen at boot.
Published date:  25 October 2017
Written by:  Maarten van Dantzig, Frank Groenewegen and Erik Schamper