i ‘BadRabbit’ Ransomware – All things in moderation

‘BadRabbit’ Ransomware

On October 24th we observed notifications of mass attacks with ransomware called Bad Rabbit. It has been targeting organizations and consumers, mostly in Russia but there have also been reports of victims in Ukraine.

It bears similarities to the WannaCry and Petya outbreaks earlier this year.

When victims visit the following site, a dropper is downloaded:
hxxp://1dnscontrol[dot]com/flash_install.php

After infection, the victim sees the following screen:

The ransomware is currently charging 0.05 Bitcoin; however, there is no confirmation that paying the ransom will result in a decryption key being provided.

A decryption site at the following .onion (Tor) domain displays the time that victims have left before the price goes up:
caforssztxqzf2nm[.]onion

Price decodes up

Files with the following extensions are encrypted:
.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf .der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key .mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx .php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff .vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.

The BadRabbit execution flow graphic below summarizes the technical details of the subsequent sections.

File:

Original Name  256hash Description
install_flash_player.exe  630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da Dropper
infpub.dat 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 DLL payload
cscc.dat 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 DiskCryptor Driver (x64)
dispci.exe 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 DiskCryptor Client
xxxx.tmp 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c Mimikatz (x64)
xxxx.tmp 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 Mimikatz (x32)

The BadRabbit attack first begins when the victim receives and installs a fake Adobe Flash update.

The malware starts a command-line with following values:
Cmd /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR “C:\Windows\system32\cmd.exe /C Start \”\” \”C:\Windows\dispci.exe\” -id 1082924949 && exit”

“/TN rheagal” refers to a system account with the name rhaegal used to create the scheduled task and start the ransomware file dispci.exe. Rhaegal is likely a reference to a dragon from the popular TV show “Game of Thrones.” In fact, three dragon names—Rhaegal, Viserion, and Drogon—are used in relation to the following scheduled tasks:

The malware then uses the following commands to clear security logs and delete the update sequence number (USN) change journal, which is used to recover files, for example:

Cmd /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:

The USN change journal provides a persistent log of all changes made to files on the volume, according to the Microsoft Developer Network. As files, directories, and other NTFS objects are added, deleted, and modified, NTFS enters records into the USN change journal, one for each volume on the computer. Each record indicates the type of change and the object changed. New records are appended to the end of the stream.

We also found a DNS query to ACA807(x)ipt.aol[.]com, in which the “##” is a two-digit hex number from 00-FF ACA807##.ipt.aol[.]com.

Game of Thrones Fans?

It is common for attackers to use pop-culture references in their attacks. These attackers seem to have an interest in “Game of Thrones,” with at least three references to the series. Viserion, Rhaegal, and Drogon are names of scheduled tasks. GrayWorm, the name of a “Game of Thrones” commander, is the product name in the binary’s EXIF data.

Embedded Credentials
secret
123321
zxc321
zxc123
qwerty123
qwerty
qwe321
qwe123
111111
password
test123
admin123Test123
Admin123
user123
User123
guest123
Guest123
administrator123
Administrator123
1234567890
123456789
12345678
1234567
123456
adminTest
administrator
netguest
superuser
nasadmin
nasuser
ftpadmin
ftpuser
backup
operator
other user
support
manager
rdpadmin
rdpuser
user-1
Administrator

There are currently three samples associated with this ransomware campaign, representing the dropper and the main executable:
– 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
– 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
– 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

References:
https://www.endgame.com
https://securingtomorrow.mcafee.com
http://www.bbc.com
https://securelist.com

Leave a Reply