On October 24th we observed notifications of mass attacks with ransomware called Bad Rabbit. It has been targeting organizations and consumers, mostly in Russia but there have also been reports of victims in Ukraine.
It bears similarities to the WannaCry and Petya outbreaks earlier this year.
When victims visit the following site, a dropper is downloaded:
hxxp://1dnscontrol[dot]com/flash_install.php
After infection, the victim sees the following screen:
The ransomware is currently charging 0.05 Bitcoin; however, there is no confirmation that paying the ransom will result in a decryption key being provided.
A decryption site at the following .onion (Tor) domain displays the time that victims have left before the price goes up:
caforssztxqzf2nm[.]onion
Price decodes up
Files with the following extensions are encrypted:
.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf .der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key .mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx .php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff .vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.
The BadRabbit execution flow graphic below summarizes the technical details of the subsequent sections.
File:
Original Name | 256hash | Description |
install_flash_player.exe | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da | Dropper |
infpub.dat | 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 | DLL payload |
cscc.dat | 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 | DiskCryptor Driver (x64) |
dispci.exe | 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 | DiskCryptor Client |
xxxx.tmp | 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c | Mimikatz (x64) |
xxxx.tmp | 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 | Mimikatz (x32) |
The BadRabbit attack first begins when the victim receives and installs a fake Adobe Flash update.
The malware starts a command-line with following values:
Cmd /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR “C:\Windows\system32\cmd.exe /C Start \”\” \”C:\Windows\dispci.exe\” -id 1082924949 && exit”
“/TN rheagal” refers to a system account with the name rhaegal used to create the scheduled task and start the ransomware file dispci.exe. Rhaegal is likely a reference to a dragon from the popular TV show “Game of Thrones.” In fact, three dragon names—Rhaegal, Viserion, and Drogon—are used in relation to the following scheduled tasks:
The malware then uses the following commands to clear security logs and delete the update sequence number (USN) change journal, which is used to recover files, for example:
Cmd /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
The USN change journal provides a persistent log of all changes made to files on the volume, according to the Microsoft Developer Network. As files, directories, and other NTFS objects are added, deleted, and modified, NTFS enters records into the USN change journal, one for each volume on the computer. Each record indicates the type of change and the object changed. New records are appended to the end of the stream.
We also found a DNS query to ACA807(x)ipt.aol[.]com, in which the “##” is a two-digit hex number from 00-FF ACA807##.ipt.aol[.]com.
Game of Thrones Fans?
It is common for attackers to use pop-culture references in their attacks. These attackers seem to have an interest in “Game of Thrones,” with at least three references to the series. Viserion, Rhaegal, and Drogon are names of scheduled tasks. GrayWorm, the name of a “Game of Thrones” commander, is the product name in the binary’s EXIF data.
Embedded Credentials
secret
123321
zxc321
zxc123
qwerty123
qwerty
qwe321
qwe123
111111
password
test123
admin123Test123
Admin123
user123
User123
guest123
Guest123
administrator123
Administrator123
1234567890
123456789
12345678
1234567
123456
adminTest
administrator
netguest
superuser
nasadmin
nasuser
ftpadmin
ftpuser
backup
operator
other user
support
manager
rdpadmin
rdpuser
user-1
Administrator
There are currently three samples associated with this ransomware campaign, representing the dropper and the main executable:
– 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
– 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
– 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
References:
https://www.endgame.com
https://securingtomorrow.mcafee.com
http://www.bbc.com
https://securelist.com