Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Bad Rabbit – A new Petya ransomware variant

image
DEEPEN DESAI
October 24, 2017 - 3 min read

Please join our webcast for additional details regarding this attack.

Updated - October 25, 2017

Introduction

Almost four months after the last major outbreak, we are seeing a new variant of Petya ransomware dubbed "Bad Rabbit," and it's impacting multiple businesses, primarily in Russia and Ukraine. There have also been reports of businesses impacted in Germany, Turkey, and other countries. The ransomware payload contains a self-propagation module designed to perform lateral movement across the corporate network upon successful infection, which makes this threat highly virulent. The initial infection vector appears to be two Russian news agency sites : fontanka[.]ru and interfax[.]ru. [UPDATE] We have found several other news and media sites (Russian, Bulgarian, Japanese, and others) that were compromised, leading users to a fake Flash Player installer payload.

Image

Figure 1 - Bad Rabbit outbreak overview

 

Bad Rabbit ransomware analysis

Image

Figure 2 - Infection cycle [UPDATE: multiple other compromised Russian news and media sites were also part of this campaign]

We saw multiple instances from this outbreak in the Zscaler cloud, and the new ransomware payload was flagged as malicious by the Zscaler Cloud Sandbox module. For this blog, we will analyze the attack cycle where the user was redirected from the fontanka[.]ru news site to another compromised site, as shown in Figure 2, which serves the ransomware executable payload.

Users visiting one of the compromised sites (on the day of outbreak) were prompted by a Flash update screen as shown below:

Image

Figure 3 - Fake Adobe Flash Player update prompt

Once a user clicks the INSTALL button, the ransomware executable will be downloaded on the victim's machine. The payload will masquerade as Adobe Flash Player setup using the Adobe Flash installer icon, as shown below:

Image

Figure 4 - Executable using fake icon

The executable payload is also signed using a fake certificate as shown below:

Image

Figure 5 - Fake Symantec-issued certificate [NOT A LEGITIMATE CERTIFICATE]

The fake Flash Player installer drops the main payload DLL file as "infpub.dat" in the Windows directory and executes it with the following arguments:

“C:\windows\system32\rundll32.exe c:\windows\infpub.dat,#1 15”

File Encryption

Infpub.dat is responsible for enumerating files on the infected system and encrypting any files that contain the following extension:

Image

Figure 6 - File extensions targeted by Bad Rabbit

Bad Rabbit ransomware leverages AES encryption and uses CryptEncryptA API to encrypt the files on the infected machine. Unlike many other ransomware families, Bad Rabbit does not change the extension of the encrypted files; instead, the ransomware payload relies on a unicode string marker – "encrypted" – that is appended at the end of all the files that are encrypted.

Image

Figure 7 - Encrypted file marker

Lateral movement

The ransomware contains a list of commonly used username and passwords embedded in the payload. The payload will scan the internal network for any reachable SMB shares and will perform brute force authentication using the stored credentials. 

network_password.PNG

Figure 8 - Bad Rabbit embedded username and password list

trying_stored_passwors.PNG

Figure 9 - Brute Force login attempts to spread laterally

Upon successful infection, the system will reboot and the end user will see the dreadful ransom screen:

Image

Figure 10 - Bad Rabbit ransom note

The onion site requests the user's personal installation key, so the user may receive the ransom amount and further instructions:

Image

Figure 11 - Onion site for ransom payment instructions

Zscaler ThreatLabZ is actively monitoring this threat and will continue to ensure coverage for Zscaler customers. We will continue to update this blog with additional information as we further analyze the payloads. 

Indicators of Compromise

MD5 hashes

fbbdc39af1139aebba4da004475e8839

b14d8faf7f0cbcfad051cefe5f39645f (dropped file)

Compromised intermediate site

1dnscontrol[.]com

Zscaler Coverage

Advanced Threat Signatures

  • Malurl.Gen.XO
  • mal/generic-s.z
  • win32.ransom.diskcoder

Cloud Sandbox report

Image

Image
 

 

 

 

 

 

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.