Earlier this week, a new malware with characteristics of ransomware and wiper surfaced with resemblance of Petya, a previous ransomware. Based on our preliminary findings we think this is not a variant of Petya ransomware as publicly reported, but with much more different capabilities and affects.
This appears to be a complex attack which involves several attack vectors, more importantly it seems Notpetya was a targeted region based attack as the origin was from financial software firm MeDoc. It’s supposed to be that the software update feature of enterprise product of the software was compromised so that when it was downloadable and installed by victims it infected and spread in the same network with NotPetya.
The original malware comes as a Windows dll with an export at ordinal 1 named as perfc_1.
There are embedded resources in the dll one being the psexec.exe dropped as dllhost.dat which with the help of eternalblue exploit spreads to other systems in the network and also one resource which helps in getting credentials of victim machines itself being a modified version of a password dump tool like mimikatz dropped (either 32- or 64-bit version depending on the host) to the %TEMP% folder.
The main component is executed with rundll32 calling the ordinal 1.
On execution NotPetya checks whether the current machine is a workstation or domain controller and if identified as domain controller Notpetya will check DHCP service to retrieve list of terminals having IP addresses under DHCP server subnets. Notpetya uses EternalBlue exploit to spread through the network. Other mechanisms were also observed like using psexec.exe to infect if admin privilege is existing.
NotPetya creates a task schedule to have the victim machine reboot after sometime using the below command
schtasks %ws/Create /SC once /TN “” /TR “%ws” /ST %02d:%0
The encryption used by the malware is AES-128 with RSA. This is different from previous variants, which used SALSA20. The RSA public key used to encrypt the file encryption keys is hardcoded and can be seen below:
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:
further implementing a malicious kernel which encrypts the master file table (MFT) so the file system is unreadable.
The result is an unbootable system that demands a ransom to restore it.
This sample looks for three different types of privileges to perform its actions:
– Required to shutdown the system
– A token field that allows the owning process to adjust the memory of other processes on the computer. This allows any binary to perform system level tasks.
– This allows the owning process to act as part of the operating system.
NotPetya, as mentioned earlier in this post, does not seem to be focused on revenue or the ransomware characteristics, but possibly more on a targeted cyberattack. NotPetya has taken the Wannacry features ahead with more additions of its own which again proves continuous evolution of malwares.
Indicators of Compromise
Malicious DLL – 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Signed psexec – f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5