This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • BadRabbit: a New Ransomware Outbreak

BadRabbit: a New Ransomware Outbreak

AhmedSonbol1
Employee AhmedSonbol1
Employee
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Printer Friendly Page
  • Report Inappropriate Content
‎2017-10-25 02:18 PM

Yesterday news emerged about a new ransomware outbreak dubbed Bad Rabbit. The new ransomware has some similarities to the Petya/Not Petya ransomware attack that took the world by storm last summer. Both ransomware families encrypt the entire disk.  As of now, it appears that most reported victims are in Eastern Europe with some reports suggesting that some victims were detected in the United States. While the US-CERT issued a notice that it is aware of the attacks, it has no specific information on US victims.

 

Bad Rabbit binary is currently being delivered to the victim as a fake Adobe Flash update (SHA256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da) through compromised websites, and one particular delivery domain, 1dnscontrol[.]com, has been identified in numerous Industry reports.  Researchers at Cisco Talos demonstrated how BadRabbit victims were redirected to this delivery domain via compromised websites.

First, there was a POST request to 185.149.120[.]3/scholargoogle to collect some information such as user agent, referring site, cookie and domain name of the session.  Next, the ransomware dropper was delivered via two paths:

  • 1dnscontrol[.]com/index.php
  • 1dnscontrol[.]com/flash_install.php

 

At this time, it appears that the delivery domain is no longer active; however, both the IP and domain have been placed into FirstWatch C2 feeds available in RSA Live with the following meta tags:

  • threat.category = "ransomware"
  • threat.desc = "badrabbit"

 

Executing the malware on a 32bits Windows machine, it dropped the following files on the system (names of the dropped files might vary from one system to another):

 

File PathSHA256Notes
C:\Windows\cscc.dat682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806diskcryptor driver
C:\Windows\infpub.dat14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958
C:\Windows\dispci.exe8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93diskcryptor client
C:\Windows\740.tmp
a81b01737a22b8dae8f3e4fe3693c2f56eae0c6e24670146d91832ba6b76c82f

 

Executing the malware on a 64bits Windows machine, it dropped the following files:

 

File PathSHA256Notes
C:\Windows\cscc.dat0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6diskcryptor driver
C:\Windows\infpub.dat14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958
C:\Windows\dispci.exe
8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93diskcryptor client
C:\Windows\CE27.tmp
fdef2f6da8c5e8002fa5822e8e4fea278fba66c22df9e13b61c8a95c2f9d585f

 

Here is a process tree after running the dropper:

 

badrabbit-processtree.png

 

The malware creates two scheduled tasks to perform the following:

  • A scheduled task to run the open source utility DiskCryptor to encrypt the entire disk.
  • A scheduled task to reboot the system at a certain time.

 
Strings embedded in the unpacked DLL suggest that the malware also targets a certain list of files for encryption:

  • .3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.
  • Note: It remains unclear why the malware has a list of target file extensions, while it's behavior encrypts the whole disk.

  

The malware also drops mimikatz-like binaries to harvest credentials.  Communication between those binaries and the malware is done through a named pipe as shown in the process tree above. 

In addition to the stealers, the malware comes embedded with a list of default usernames and passwords.  These credentials are used by the malware to try to login to other systems via SMB and infect them.  It should be noted, that BadRabbit does not currently use the EternalBlue vulnerability for lateral movement; instead this is basic scanning and login attempts for the following shares.

  • admin
  • atsvc
  • browser
  • eventlog
  • lsarpc
  • netlogon
  • ntsvcs
  • spoolss
  • samr
  • srvsvc
  • scerpc
  • svcctl
  • wkssvc

If a login attempt is successful, 'infpub.dat' is dropped into Windows directory and executed via SCManager and rundll.exe.  

 

In it's final stages, Bad Rabbit executes a system reboot, after which the victim is presented with a ransom note:

 

badrabbit-ransomnote.png

 

The helpful message on caforssztxqzf2nm[.]onion notifies victims of 0.05 Bitcoin ransom with a message suggesting that the price will go up after some 10+ hours.

  

badrabbit-ransom.png

 

Microsoft recently released a threat bulletin on Bad Rabbit [6]. It has the following instructions to stop the system from rebooting (thus stopping it from encrypting the disk):

  • Check event logs for the following IDs: 1102 and 106

Event 1102 indicates that the audit log has been cleared, so previous activities can’t be seen.

Event 106  indicates that scheduled tasks "drogon" and "Rhaegel" have been registered (these are ransomware wipers)

If events 1102 and 106 are present, issue a shutdown -a to prevent a reboot

 

Halim Abouzeid‌ has a detailed post on how the post infection activity looks in both NetWitness Packets and NetWitness Endpoint.

 

 

FirstWatch_banner.png

  • bad rabbit
  • deskcryptor
  • firstwatch
  • mimikatz
  • NetWitness
  • NW
  • NWP
  • ransomware
  • rsa firstwatch
  • RSA NetWitness
  • RSA NetWitness Platform
2 Likes
Share
1 Comment

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • File Activity Alert Optimization in Multi-EPS Deployment
  • Threat Profile Series: An Introduction to Royal Ransomware
  • FirstWatch Threat Spotlight: APT-C-36
  • Integration of OPSWAT MetaAccess with Netwitness
  • DCSync Detection with NetWitness
  • FirstWatch Threat Spotlight: Brute Ratel C4
  • Hunting Misconfigured Web Applications
  • Examining APT27 and the HyperBro RAT
  • FirstWatch Threat Spotlight: DarkTortilla
  • Sliver C2 – Network and Endpoint Detection with NetWitness Platform
Labels
  • Announcements 59
  • Events 4
  • Features 10
  • Integrations 8
  • Resources 62
  • Tutorials 26
  • Use Cases 24
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.