Rough summary of developing BadRabbit info git@roycewilliams

1. Rough summary of developing BadRabbit info
2. ------------------------------------------
3.  
4. BadRabbit is locally-self-propagating ransomware (ransom: 0.05 BTC), spreading via SMB once inside.
5. Requires user interaction.
6. Mostly targeting Russia and Ukraine so far, with a few others (Germany, Turkey, Bulgaria, Montenegro ...)
7. Not globally self-propagating, but could be inflicted on selected targets on purpose.
8. Mitigations are similar to Petya/NotPetya resistance. An inoculation is also available (see below).
9.  
10. Initial infection:
11.  
12. Poses as fake Flash update.
13. https://twitter.com/jiriatvirlab/status/922835700873158661/photo/1
14. https://twitter.com/darienhuss/status/922847966767042561
15. Watering-hole-style / drive-by likely, but may also be selectively targeted.
16. Beaumont (GossiTheDog) suspects supply-chain tampering or injection (it appears to be self-limiting w/shutdown, etc.)
17.  
18. Targets/victims
19.  
20. Mostly affecting .ru/.ua so far. Media outlets, transportation, gov may have been early targets.
21. Watering holes in Germany, Turkey, Bulgaria, Montenegro.
22. Avast says also Poland and South Korea?
23. Avast says some US have been detected, but no details yet; McAfee says no US detected yet
24. https://twitter.com/avast_antivirus/status/922941896439291904
25. https://twitter.com/SteveD3/status/922964771967848449
26. Map (indirectly sourced from Avast PR?)
27. https://twitter.com/Bing_Chris/status/922932810725326848
28.  
29. List of targeted file extensions:
30. Image Tweet: https://twitter.com/craiu/status/922877184494260227
31. Text: https://pastebin.com/CwZfyY2F
32.  
33. Components and methods:
34.  
35. Using legit signed DiskCryptor binary to encrypt.
36. Creates scheduled task to reboot the target system.
37. May be using EternalBlue (or at least triggers controls that are watching for its use?), Unit 42 sees no sign of this
38. Incorporates stripped-down Mimikatz to discover credentials for propagation.
39. https://twitter.com/gentilkiwi/status/922945304172875778
40. Overwrites MBR to deliver ransom message.
41. Ransom message directs users to Tor-based (.onion) site
42. Gives a "please turn off antivirus" user message in some circumstances.
43.  
44. Also spreads via SMB and WebDAV - locally self-propagating
45. https://twitter.com/GossiTheDog/status/922875805033730048
46.  
47. Also uses this hard-coded list of creds:
48. https://pastebin.com/01C05L0C
49. https://twitter.com/MaartenVDantzig/status/922854232176422912
50.  
51. C:\WINDOWS\cscc.dat == DiskCryptor (block execution to inoculate?)
52. https://www.virustotal.com/#/file/682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806/details
53.  
54. C:\Windows\infpub.dat == #BADRABBIT pushed laterally (block execution to inoculate?)
55. Creating a read-only version of this file may halt infection; more below
56. https://twitter.com/0xAmit/status/922886907796819968
57.  
58. Analysis of flash_install.php component
59. https://www.hybrid-analysis.com/sample/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da?environmentId=100
60.  
61. Video of action:
62. https://twitter.com/GossiTheDog/status/922858264534142976
63.  
64. Apparently clears Windows logs and the filesystem journal, per ESET
65.  
66. May incorporate copy-and-pasted Microsoft cert/signing?
67. https://twitter.com/gN3mes1s/status/922907460842721281
68. @mattifestation PS script to search for other use:
69. https://gist.github.com/mattifestation/f76c64e87daa40f0d740cb037e575e96
70. https://gist.github.com/mattifestation/225c9b4e38b5d11a488bf5c1ccda99cb
71.  
72. Also installs a keylogger? [source?]
73. (The Register mentions this third-hand)
74.  
75. Wipes boot sector and puts kernel at the end of the drive?
76.  
77. C&C and payload domains were set up well in advance:
78. https://twitter.com/mrjohnkelly73/status/922899328636735488
79. https://twitter.com/craiu/status/922911496497238021
80.  
81. Unlike NetPetya, confirmed to be decrypt-ready:
82. https://twitter.com/antonivanovm/status/922944062935707648 (Kaspersky)
83.  
84. 13% code reuse of notpeyta
85. https://analyze.intezer.com/#/analyses/d41e8a98-a106-4b4f-9b7c-fd9e2c80ca7d
86.  
87. May be a variant of Diskcoder, per ESET
88.  
89. LIVE SAMPLE (see tweet for password, use at your own risk):
90. https://twitter.com/gentilkiwi/status/922944766161154053
91.  
92. Still contains link to external debugging symbols file (.pdb) [can this be manipulated?] (@malwareunicorn):
93. https://twitter.com/malwareunicorn/status/923009391770533888
94.  
95. Pop-culture references contained:
96. Game of Thrones dragons (Drogon, Rhaegal)
97. Hackers movie (bottom of list of hard-coded passwords)
98.  
99. Detection:
100. Yara rule (from a McAfee lead engineer)
101. https://pastebin.com/Y7pJv3tK
102.  
103. IOCs (via ESET)
104.  
105. 79116fe99f2b421c52ef64097f0f39b815b20907 infopub.dat Win32/Diskcoder.D Diskcoder
106. afeee8b4acff87bc469a6f0364a81ae5d60a2add dispci.exe Win32/Diskcoder.D Lockscreen
107. 413eba3973a15c1a6429d9f170f3e8287f98c21c Win32/RiskWare.Mimikatz.X Mimikatz (32-bits)
108. 16605a4a29a101208457c47ebfde788487be788d Win64/Riskware.Mimikatz.X Mimikatz (64-bits)
109. de5c8d858e6e41da715dca1c019df0bfb92d32c0 install_flash_player.exe Win32/Diskcoder.D Dropper
110. 4f61e154230a64902ae035434690bf2b96b4e018 page-main.js JS/Agent.NWC JavaScript on compromised sites
111.  
112. fbbdc39af1139aebba4da004475e8839
113. b14d8faf7f0cbcfad051cefe5f39645f
114. caforssztxqzf2nm[.]onion
115. 1dnscontrol[.]com/flash_install.php
116. 1dnscontrol[.]com/install_flash_player.exe
117. 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
118.  
119. Defense
120. (via @GossitheDog):
121. * block inbound SMB
122. * use Credential Guard in Windows
123. * control # of admins
124. * monitor scheduled tasks and service creation
125.  
126. Vaccination: https://twitter.com/0xAmit/status/922911491694694401
127. ** Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat
128. ** remove ALL PERMISSIONS (inheritance) and you are now vaccinated. :)
129.  
130. Other ideas:
131. * Disable WMI where feasible
132.  
133. Money trail
134. Bitcoin addresses (h/t: @Steve3D)
135. https://blockchain.info/address/1GxXGMoz7HAVwRDZd7ezkKipY4DHLUqzmM
136. https://blockchain.info/address/17GhezAiRhgB8DGArZXBkrZBFTGCC9SQ2Z
137.  
138. Coverage and news
139.  
140. ESET (very good tech coverage):
141. https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back-improved-ransomware/
142.  
143. The Register (good tech summary):
144. https://www.theregister.co.uk/2017/10/24/badrabbit_ransomware/
145.  
146. Steve Ragan article (excellent, being updated rapidly)
147. https://www.csoonline.com/article/3234691/security/badrabbit-ransomware-attacks-multiple-media-outlets.html
148.  
149. Watch @GossiTheDog on Twitter for updates.
150. https://twitter.com/GossiTheDog
151.  
152. Palo Alto analysis (Unit 42):
153. https://researchcenter.paloaltonetworks.com/2017/10/threat-brief-information-bad-rabbit-ransomware-attacks/
154. ... and Palo Alto protections:
155. https://researchcenter.paloaltonetworks.com/2017/10/palo-alto-networks-protections-bad-rabbit-ransomware-attacks/
156.  
157. Group-IB (first to alert/discover):
158. https://www.group-ib.com/blog/badrabbit
159.  
160. Microsoft malware entry
161. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Tibbar.A
162.  
163. Kaspersky:
164. https://www.kaspersky.com/blog/bad-rabbit-ransomware/19887/
165. https://securelist.com/bad-rabbit-ransomware/82851/
166.  
167. McAfee:
168. https://securingtomorrow.mcafee.com/mcafee-labs/badrabbit-ransomware-burrows-russia-ukraine/
169.  
170. Cisco/Talos:
171. http://blog.talosintelligence.com/2017/10/bad-rabbit.html
172.  
173. Motherboard article:
174. https://motherboard.vice.com/en_us/article/59yb4q/bad-rabbit-petya-ransomware-russia-ukraine
175.  
176. BleepingComputer article:
177. https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/
178.  
179. AlienVault matrix:
180. https://otx.alienvault.com/pulse/59ef5e053db003162704fcb2/
181.  
182. US-CERT notice:
183. https://www.us-cert.gov/ncas/current-activity/2017/10/24/Multiple-Ransomware-Infections-Reported
184.  
185. Threatpost:
186. https://threatpost.com/badrabbit-ransomware-attacks-hitting-russia-ukraine/128593/
187.  
188. The Hacker News:
189. https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html
190.  
191. PC Magazine:
192. https://www.pcmag.com/news/356977/badrabbit-ransomware-targets-systems-in-russia-ukraine
193.  
194. Cybereason (vaccine approach):
195. https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware
196.  
197. MIT Technology Review:
198. https://www.technologyreview.com/the-download/609206/a-new-strain-of-ransomware-is-hitting-eastern-europe/
199.  
200. Malwarebytes (@hasherezade)
201. https://blog.malwarebytes.com/threat-analysis/2017/10/badrabbit-closer-look-new-version-petyanotpetya/
202.  
203. Qualys:
204. https://threatprotect.qualys.com/2017/10/24/bad-rabbit-ransomware/
205. https://blog.qualys.com/news/2017/10/24/bad-rabbit-ransomware
206.  
207. Hackplayers (Spanish - in fact, it looks like they translated an earlier version of my document!)
208. http://www.hackplayers.com/2017/10/badrabbit-que-es-lo-que-hay-que-saber-de-momento.html