BluSapphire | Intelligent Cyber Defense
1.jpg

Blog

BadRabbit Analysis using BluSapphire

 

Since the outbreak of Petya/NotPetya which was surfaced in the month of June, again last week a new ransomware attack “aka BadRabbit” is making the headlines effecting machines in Ukraine, Russia, Turkey and Bulgaria.

Initial Attack Vector:

Unlike Petya/NotPetya that use SMB (Eternal Blue) as the initial vector, this variant uses drive-by-download type of attack to deliver the malware (BadRabbit) that spreads via malicious websites.

BadRabbit utilizes:

  1. Diskcryptor to encrypt the files with selected extensions

  2. SCmanager, schtasks and rundll32.exe to invoke other components

  3. For lateral movement, it scans the local networks for SMB shares and spread via SMB

  4. Mimikatz for credential harvesting on compromised machine

Analyzed samples:

MD5 HashDescriptionfbbdc39af1139aebba4da004475e8839Adobe_Flash_Update – Dropper1d724f95c61f1055f0d02c2154bbccd3infpub.dat – Main DLLb4e6d97dafd9224ed9a547d52c26ce02cscc.dat – Driver for Encryptionb14d8faf7f0cbcfad051cefe5f39645fdispci.exe – DiskCryptor Client

Behavioral analysis:

Once downloaded, the executable dropper pretending to an Adobe Flash Update convincing the victim to install it

1.jpg

Upon execution it drops the main module DLL “infpub.dat” in “C:\Windows” directory that is further initiated by rundll.exe with arguments.

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

2.jpg

Executes the command “schtasks /Delete /F /TN rhaegal” to delete any existing tasks with name “rhaegal”.

3.jpg

During the execution of main DLL “infpub.dat” other components (cscc.dat, dispci.exe) responsible for encrypting are being dropped.

4.jpg

To launch the newly dropped components of diskcryptor “dispci.exe” on the startup, a new task is scheduled with name “rhaegal”.

5.jpg

New service named “cscc” is created for DiskCryptor Driver “cscc.dat”.

ServiceName=cscc,DisplayName=Windows Client Side Caching DDriver, BinaryPathName=cscc.dat
6.jpg

Schedules a task named “drogon” to forcefully reboot the machine at 04:46hrs, it appears that a reboot is required to install the DiskCryptor drivers.

7.jpg
8.jpg

BadRabbit encrypts only selected file extension as below and displays a ransom note.

3ds, 7z, accdb, ai, asm, asp, aspx, avhd, back, bak, bmp, brw, c, cab, cc, cer, cfg, conf, cpp, crt, cs, ctl, cxx, dbf, der, dib, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, hpp, hxx, iso, java, jfif, jpe, jpeg, jpg, js, kdbx, key, mail, mdb, msg, nrg, odc, odf, odg, odi, odm, odp, ods, odt, ora, ost, ova, ovf, p12, p7b, p7c, pdf, pem, pfx, php, pmf, png, ppt, pptx, ps1, pst, pvi, py, pyc, pyw, qcow, qcow2, rar, rb, rtf, scm, sln, sql, tar, tib, tif, tiff, vb, vbox, vbs, vcb, vdi, vfd, vhd, vhdx, vmc, vmdk, vmsd, vmtm, vmx, vsdx, vsv, work, xls, xlsx, xml, xvd, zip

Abuse use of APIs:

CloseHandle
CreateFileW
CreateProcessW
ExitProcess
GetCommandLineW
GetCurrentProcess
GetFileSize
GetModuleFileNameW
GetModuleHandleW
GetSystemDirectoryW
HeapAlloc
ReadFile
TerminateProcess
UnhandledExceptionFilter
WriteFile

URL Found:

http://rb.symcb.com/rb.crl0W
http://s.symcb.com/universal-root.crl0
http://ocsp.verisign.com0
https://www.verisign.com/rpa
https://www.verisign.com/rpa0
http://rb.symcb.com/rb.crt0
http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
https://d.symcb.com/cps0%
http://s.symcd.com06
http://crl.verisign.com/pca3-g5.crl04
http://ts-ocsp.ws.symantec.com0;
https://d.symcb.com/rpa0@
https://d.symcb.com/rpa0
https://www.verisign.com/cps0
https://d.symcb.com/rpa06
http://crl.thawte.com/ThawteTimestampingCA.crl0
http://s.symcd.com0
http://ocsp.thawte.com0
https://d.symcb.com/rpa0.
http://rb.symcd.com0&
http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
http://sf.symcb.com/sf.crt0
http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
http://logo.verisign.com/vslogo.gif04
http://sf.symcd.com0&
http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
http://sf.symcb.com/sf.crl0W
http://ts-ocsp.ws.symantec.com07

Lateral Movement:

To perform credential harvesting, it creates and loads mimikatz to a file with extension “.tmp” (xxxx.tmp) in “C:\Windows\” and initiates a new process from the temp file “495E.tmp” with pipe.

9.jpg
10.jpg

Notice that the malware scans the local network for ports 139, 445 and spreads via SMB shares with credentials harvested using mimikatz.

11.jpg
12.jpg

- Praveen Kolanuvada

 
Kiran VangavetiComment
Get in Touch