{"id":10068,"date":"2017-10-24T16:10:09","date_gmt":"2017-10-25T00:10:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/24\/news-3841\/"},"modified":"2017-10-24T16:10:09","modified_gmt":"2017-10-25T00:10:09","slug":"news-3841","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/10\/24\/news-3841\/","title":{"rendered":"BadRabbit: a closer look at the new version of Petya\/NotPetya"},"content":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Tue, 24 Oct 2017 23:08:18 +0000<\/strong><\/p>\n<p>Petya\/NotPetya (aka EternalPetya), <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/06\/petya-esque-ransomware-is-spreading-across-the-world\/\" target=\"_blank\" rel=\"noopener\">made headlines in June<\/a>, attacking users around the world. Today, we noted an outbreak of a similar-looking malware, called BadRabbit, probably prepared by the same authors. Just like the previous edition, BadRabbit has an infector allowing for lateral movements, using SMB to propagate laterally with a hardcoded list of usernames and passwords. However, unlike NotPetya, it doesn\u2019t use EternalBlue and is more widely spread. (Impacted countries include Ukraine, Russia, Turkey, and Bulgaria).<\/p>\n<p>Another key difference between Petya\/NotPetya and BadRabbit is that the initial vector is different (a website dropping a fake Flash update). Also, some of its components have been replaced. The malware package is complex, and we will likely dedicate future articles to describing all its features. But let\u2019s have an initial look.<\/p>\n<h3>Analyzed samples<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/#\/file\/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da\/details\" target=\"_blank\" rel=\"noopener\">fbbdc39af1139aebba4da004475e8839<\/a> &#8211; the dropper (original dropped sample)\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/#\/file\/579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648\/details\" target=\"_blank\" rel=\"noopener\">1d724f95c61f1055f0d02c2154bbccd3<\/a> &#8211; <em>infpub.dat<\/em> &#8211; the main DLL\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/#\/file\/682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806\/detection\" target=\"_blank\" rel=\"noopener\">b4e6d97dafd9224ed9a547d52c26ce02<\/a> &#8211; <em>cscc.dat<\/em> &#8211; legitimate driver used for the disk encryption (<a href=\"http:\/\/diskcryptor.net\" target=\"_blank\" rel=\"noopener\">diskcryptor.net<\/a>)<\/li>\n<li><a href=\"https:\/\/www.virustotal.com\/#\/file\/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93\/details\" target=\"_blank\" rel=\"noopener\">b14d8faf7f0cbcfad051cefe5f39645f<\/a> &#8211; <em>dispci.exe<\/em> &#8211; installs the bootlocker, communicates with the driver<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Behavioral analysis<\/h3>\n<p>The dropper is an executable that pretends to be a Flash update. The malware must run with Administration privileges, but no UAC bypass technique has been deployed\u2014 it relies purely on social engineering, trying to convince the user to elevate it. After being run, it drops and deploys the main module in C:Windows directory. This time, it is named\u00a0infpub.dat. (We can see the analogy to the previous NotPetya outbreak, where the DLL was named perfc.dat):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20234\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/dropped1.png\" alt=\"\" width=\"584\" height=\"121\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/dropped1.png 584w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/dropped1-300x62.png 300w\" sizes=\"auto, (max-width: 584px) 100vw, 584px\" \/><\/p>\n<p>It is run by the rundll32.exe called with parameters:<\/p>\n<pre>\"C:\\Windows\\system32\\rundll32.exe C:\\Windows\\infpub.dat,#1 15\"  <\/pre>\n<p>Notice that the malware scans computers in the LAN:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20237\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/scan1.png\" alt=\"\" width=\"560\" height=\"186\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/scan1.png 560w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/scan1-300x100.png 300w\" sizes=\"auto, (max-width: 560px) 100vw, 560px\" \/><\/p>\n<p>Our guess is that the information about the detected machines is used for lateral movements.<\/p>\n<p>The malware also drops other elements in the Windows directory: cscc.dat and dispci.exe<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20239\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/dropped_driver.png\" alt=\"\" width=\"583\" height=\"213\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/dropped_driver.png 583w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/dropped_driver-300x110.png 300w\" sizes=\"auto, (max-width: 583px) 100vw, 583px\" \/><\/p>\n<p>The malware encrypts files with the selected extensions. All the files are encrypted with the same key (the same plaintext gives the same ciphertext).<\/p>\n<p>Below, we demonstrate a visualization of a sample BMP file before and after being encrypted by BadRabbit:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-10922\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/01\/enc_square1_bmp.png\" alt=\"\" width=\"219\" height=\"219\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/01\/enc_square1_bmp.png 219w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/01\/enc_square1_bmp-150x150.png 150w\" sizes=\"auto, (max-width: 219px) 100vw, 219px\" \/> <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/06\/petya-esque-ransomware-is-spreading-across-the-world\/\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20238\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/enc_square1.bmp_.png\" alt=\"\" width=\"219\" height=\"219\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/enc_square1.bmp_.png 219w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/enc_square1.bmp_-150x150.png 150w\" sizes=\"auto, (max-width: 219px) 100vw, 219px\" \/><\/a><\/p>\n<p>It does not change files extensions. The marker indicating that the file has been encrypted is added at the end of the file content\u2014it\u2019s a unicode text: \u201c%encrypted\u201d:<br \/> <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20231\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/file_marker.png\" alt=\"\" width=\"627\" height=\"174\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/file_marker.png 627w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/file_marker-300x83.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/file_marker-600x167.png 600w\" sizes=\"auto, (max-width: 627px) 100vw, 627px\" \/><\/p>\n<p>Here\u2019s the dropped ransom note. As before, it\u2019s in TXT format, named Readme.txt:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20243\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/oops_note.png\" alt=\"\" width=\"599\" height=\"333\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/oops_note.png 599w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/oops_note-300x167.png 300w\" sizes=\"auto, (max-width: 599px) 100vw, 599px\" \/><\/p>\n<p>As NotPetya did before, BadRabbit adds a scheduled task for the system reboot:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20240\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/shutdown_task.png\" alt=\"\" width=\"765\" height=\"228\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/shutdown_task.png 765w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/shutdown_task-300x89.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/shutdown_task-600x179.png 600w\" sizes=\"auto, (max-width: 765px) 100vw, 765px\" \/><\/p>\n<p>After the attack is completed, the system is restarted and the bootlocker screen pops up:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20232\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/botlocker1.png\" alt=\"\" width=\"724\" height=\"405\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/botlocker1.png 724w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/botlocker1-300x168.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/botlocker1-600x336.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/botlocker1-400x225.png 400w\" sizes=\"auto, (max-width: 724px) 100vw, 724px\" \/><\/p>\n<p>We can clearly see the similarity with the screen that was displayed by Petya\/NotPetya:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18816\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/screen1.png\" alt=\"\" width=\"724\" height=\"405\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/screen1.png 724w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/screen1-300x168.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/screen1-600x336.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/screen1-400x225.png 400w\" sizes=\"auto, (max-width: 724px) 100vw, 724px\" \/><\/p>\n<p>However, this time there is no fake CHKDSK <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/07\/keeping-up-with-the-petyas-demystifying-the-malware-family\/\" target=\"_blank\" rel=\"noopener\">known from each of the Petya editions<\/a>.<\/p>\n<p>Following the ransom notes, we see that there are two encryption keys that the victim must get in order to be able to recover the files. The first one is the key to the bootlocker. After unlocking the first stage, the second key is required to unlock the files.<\/p>\n<h3>Website for the victim<\/h3>\n<p>Last time, the authors of the attack tried to use a single email account to communicate with the victims. Of course, this was unreliable, as they soon lost the access to the account. This time, like most of the ransomware authors, they created a Tor-based webpage. The authors invested more effort in the user experience, and the website contains visual effects, including a ransom note that slowly emerges from colorful, animated text:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20250\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/rabbit_page.png\" alt=\"\" width=\"993\" height=\"699\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/rabbit_page.png 993w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/rabbit_page-300x211.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/rabbit_page-600x422.png 600w\" sizes=\"auto, (max-width: 993px) 100vw, 993px\" \/><\/p>\n<p>After pasting the key from the ransom note, the victim is given an individual bitcoin address:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20251\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/bitcoin_acc.png\" alt=\"\" width=\"979\" height=\"355\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/bitcoin_acc.png 979w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/bitcoin_acc-300x109.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/bitcoin_acc-600x218.png 600w\" sizes=\"auto, (max-width: 979px) 100vw, 979px\" \/><\/p>\n<p>They also provide a box that can be used for reporting problems.<\/p>\n<h3>Inside<\/h3>\n<p>This malware has multiple elements. Execution starts in the PE file that is responsible for dropping and installing other elements.<\/p>\n<p>The first component\u2014<em>infpub.dat<\/em>\u2014is analogical to the\u00a0<em>perfc.dat<\/em>\u00a0known from the NotPetya attack. This time, the DLL exports two functions:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20252\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/exports.png\" alt=\"\" width=\"485\" height=\"302\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/exports.png 485w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/exports-300x187.png 300w\" sizes=\"auto, (max-width: 485px) 100vw, 485px\" \/><\/p>\n<p>The function at ordinal #1 is deployed first by the main dropper:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20253\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/rundll32_exe.png\" alt=\"\" width=\"550\" height=\"109\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/rundll32_exe.png 550w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/rundll32_exe-300x59.png 300w\" sizes=\"auto, (max-width: 550px) 100vw, 550px\" \/><\/p>\n<p>This DLL contains an infector that spreads malware into other machines in the LAN. Among other methods, we see WMIC being used to deploy the modules dropped on remote machines. The responsible code looks similar to the analogical elements of Petya\/NotPetya:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20254\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/wmic.png\" alt=\"\" width=\"690\" height=\"405\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/wmic.png 690w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/wmic-300x176.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/wmic-600x352.png 600w\" sizes=\"auto, (max-width: 690px) 100vw, 690px\" \/><\/p>\n<p>This time, in addition to the credentials dumped with the help of the Mimikatz-based module, the sample tries to perform a dictionary attack and \u201cguess\u201d some of the passwords for remote logins. The list consists of commonly used passwords:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20260\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/usernames_passwords.png\" alt=\"\" width=\"826\" height=\"646\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/usernames_passwords.png 826w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/usernames_passwords-300x235.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/usernames_passwords-600x469.png 600w\" sizes=\"auto, (max-width: 826px) 100vw, 826px\" \/><\/p>\n<p>The same DLL is also responsible for infecting files one by one. Encryption is performed with the help of Windows Crypto API:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20255\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/encrypting_files.png\" alt=\"\" width=\"970\" height=\"638\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/encrypting_files.png 970w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/encrypting_files-300x197.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/encrypting_files-600x395.png 600w\" sizes=\"auto, (max-width: 970px) 100vw, 970px\" \/><\/p>\n<p>Some of the system directories are exempted from the attack:<\/p>\n<pre>\\Windows  \\Program Files  \\ProgramData  \\AppData  <\/pre>\n<p>Their list of the attacked extensions looks like the extended version of the list used by Petya\/NotPetya:<\/p>\n<pre>3ds 7z accdb ai asm asp aspx avhd back bak bmp brw c cab  cc cer cfg conf cpp crt cs ctl cxx dbf der dib disk djvu  doc docx dwg eml fdb gz h hdd hpp hxx iso java jfif jpe   jpeg jpg js kdbx key mail mdb msg nrg odc odf odg odi odm  odp ods odt ora ost ova ovf p12 p7b p7c pdf pem pfx php   pmf png ppt pptx ps1 pst pvi py pyc pyw qcow qcow2 rar rb  rtf scm sln sql tar tib tif tiff vb vbox vbs vcb vdi vfd  vhd vhdx vmc vmdk vmsd vmtm vmx vsdx vsv work xls xlsx x  ml xvd zip  <\/pre>\n<p>The AES key is generated with a cryptographically secure function CryptGenRand.<\/p>\n<p>Then it is passed to the encrypting routine, along with other parameters, such as a hardcoded public key (used later to protect the random key and preserve it in a form that can be decrypted only by the attackers):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20259\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/pass_generated_key.png\" alt=\"\" width=\"976\" height=\"469\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/pass_generated_key.png 976w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/pass_generated_key-300x144.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/pass_generated_key-600x288.png 600w\" sizes=\"auto, (max-width: 976px) 100vw, 976px\" \/><\/p>\n<pre>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ  +feQlVvZcEK0k4uCSF5SkOkF9A3tR6O\/xAt89\/PVhowvu2TfBTRsnBs83  hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG\/GN\/SVNBFwllpR  hV\/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdw  H1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW  9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWf  SBt1tbkvjdeP2xBnPjb3GE1GA\/oGcGjrXc6wV8WKsfYQIDAQAB  <\/pre>\n<p>This module drops and installs other modules used to carry out other stages of the attack. One of them is a legitimate disk cryptor (<em>cscc.dat<\/em>). It is dropped and installed as a service:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20262\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/install_driver.png\" alt=\"\" width=\"609\" height=\"257\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/install_driver.png 609w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/install_driver-300x127.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/install_driver-600x253.png 600w\" sizes=\"auto, (max-width: 609px) 100vw, 609px\" \/><\/p>\n<p>The random key is later passed to another application that is dropped by this module\u2014dispci.exe. That element is responsible for carrying the operation of encrypting the disk.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20256\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/pass_the_random_key.png\" alt=\"\" width=\"690\" height=\"198\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/pass_the_random_key.png 690w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/pass_the_random_key-300x86.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/pass_the_random_key-600x172.png 600w\" sizes=\"auto, (max-width: 690px) 100vw, 690px\" \/><\/p>\n<p>That module gets the randomly generated key in the <em>-id<\/em> parameter:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20257\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/created_task.png\" alt=\"\" width=\"709\" height=\"65\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/created_task.png 709w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/created_task-300x28.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/created_task-600x55.png 600w\" sizes=\"auto, (max-width: 709px) 100vw, 709px\" \/><\/p>\n<p>So, the random AES key is preserved for some time in unencrypted form as a command given to be deployed.<\/p>\n<h5>dispci.exe<\/h5>\n<p>This module communicates with the dropped driver using appropriate <a href=\"https:\/\/en.wikipedia.org\/wiki\/Ioctl\" target=\"_blank\" rel=\"noopener\">IOCTLs<\/a>. The dropped driver is a legitimate module used for disk encryption\u2014<em>dispci.exe<\/em> is made to adopt the driver&#8217;s features for malicious purpose. Example:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20249\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/sent_to_dcrypt.png\" alt=\"\" width=\"794\" height=\"347\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/sent_to_dcrypt.png 794w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/sent_to_dcrypt-300x131.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/sent_to_dcrypt-600x262.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/sent_to_dcrypt-195x85.png 195w\" sizes=\"auto, (max-width: 794px) 100vw, 794px\" \/><\/p>\n<p>In its resources, we can find the low-level components that are installed directly to the disk (analogically to the Petya kernel installed by the previous version). The first resource is a bootloader, and the other two are analogical variants of the malicious kernel:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20246\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/kernel_installer.png\" alt=\"\" width=\"729\" height=\"439\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/kernel_installer.png 729w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/kernel_installer-300x181.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/kernel_installer-600x361.png 600w\" sizes=\"auto, (max-width: 729px) 100vw, 729px\" \/><\/p>\n<h5>The low-level components: bootloader and kernel<\/h5>\n<p>This time the low-lever part looks different than in the case of NotPetya. Fragment of the bootloader:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20247\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/bootloader.png\" alt=\"\" width=\"588\" height=\"503\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/bootloader.png 588w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/bootloader-300x257.png 300w\" sizes=\"auto, (max-width: 588px) 100vw, 588px\" \/><\/p>\n<p>It seems that authors decided to write their own kernel rather than using the one from Petya. It is also installed in a different position of the disk\u2014at the end rather than at the beginning, as Petya did. The kernel is encrypted using a simple routine:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20233\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/kerrnel_decryption.png\" alt=\"\" width=\"386\" height=\"621\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/kerrnel_decryption.png 386w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/kerrnel_decryption-186x300.png 186w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/kerrnel_decryption-373x600.png 373w\" sizes=\"auto, (max-width: 386px) 100vw, 386px\" \/><\/p>\n<h3>Conclusion<\/h3>\n<p>The code has many overlapping and analogical elements to the code of Petya\/NotPetya, which suggests that the authors behind the attack are the same. Again, they tried to compose their malicious bundle out of stolen elements, however, <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/06\/eternalpetya-yet-another-stolen-piece-package\/\" target=\"_blank\" rel=\"noopener\">the stolen Petya kernel<\/a> has been substituted with a more advanced disk crypter in the form of a legitimate driver. It looks like the authors tried to improve upon previous mistakes and finish unfinished business. So far, it seems that in the current release, encrypted data is recoverable after buying the key, which means the BadRabbit attack is not as destructive as the previous one. However, the malware is complex and its detailed analysis will take more time. We will be updating this article with the latest findings.<\/p>\n<p>Users of <a href=\"http:\/\/www.malwarebytes.com\/premium\" target=\"_blank\" rel=\"noopener\">Malwarebytes for Windows<\/a> are protected from BadRabbit. It is detected as Ransom.BadRabbit.<\/p>\n<p>&nbsp;<\/p>\n<p>Summary about the previous attack, Petya\/NotPetya:<\/p>\n<p><iframe loading=\"lazy\"  src=\"\/\/speakerdeck.com\/player\/600fc3412ae9454cb380195dfd4ef680\" width=\"100%\" height=\"420\" frameborder=\"0\" ><\/iframe> <\/p>\n<hr \/>\n<p><em><span class=\"s1\">This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. <\/span><span class=\"s1\">She loves going in details about malware and sharing threat information with the community. <\/span><span class=\"s2\">Check her out on Twitter @<a href=\"https:\/\/twitter.com\/hasherezade\" target=\"_blank\" rel=\"noopener noreferrer\">hasherezade<\/a> and her personal blog: <span class=\"s3\"><a href=\"https:\/\/hshrzd.wordpress.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/hshrzd.wordpress.com<\/a>.<\/span><\/span><\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/10\/badrabbit-closer-look-new-version-petyanotpetya\/\">BadRabbit: a closer look at the new version of Petya\/NotPetya<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/10\/badrabbit-closer-look-new-version-petyanotpetya\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Tue, 24 Oct 2017 23:08:18 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/10\/badrabbit-closer-look-new-version-petyanotpetya\/' title='BadRabbit: a closer look at the new version of Petya\/NotPetya'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/creepyrabbit.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>BadRabbit, a new version of NotPetya, also has an infector allowing for lateral movements. However, unlike NotPetya, it does not use EternalBlue and uses a website to drop its payload. We take a closer look at this new ransomware variant. <\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/malware-threat-analysis\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/badrabbit-ransomware\/\" rel=\"tag\">badrabbit ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/notpetya\/\" rel=\"tag\">NotPetya<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/notpetya-ransomware\/\" rel=\"tag\">NotPetya ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransomware\/\" rel=\"tag\">ransomware<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/10\/badrabbit-closer-look-new-version-petyanotpetya\/' title='BadRabbit: a closer look at the new version of Petya\/NotPetya'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/10\/badrabbit-closer-look-new-version-petyanotpetya\/\">BadRabbit: a closer look at the new version of Petya\/NotPetya<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[16077,3764,12830,16078,3765,10494],"class_list":["post-10068","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-badrabbit-ransomware","tag-malware","tag-notpetya","tag-notpetya-ransomware","tag-ransomware","tag-threat-analysis"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10068","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10068"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10068\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10068"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10068"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10068"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}