Petya or NotPetya ? That is the Question..

Earlier this week, a new malware with characteristics of ransomware and wiper surfaced with resemblance of Petya, a previous ransomware. Based on our preliminary findings we think this is not a variant of Petya ransomware as publicly reported, but with much more different capabilities and affects.

This appears to be a complex attack which involves several attack vectors, more importantly it seems Notpetya was a targeted region based attack as the origin was from financial software firm MeDoc. It’s supposed to be that the software update feature of enterprise product of the software was compromised so that when it was downloadable and installed by victims it infected and spread in the same network with NotPetya.

The original malware comes as a Windows dll with an export at ordinal 1 named as perfc_1.

There are embedded resources in the dll one being the psexec.exe dropped as dllhost.dat which with the help of eternalblue exploit spreads to other systems in the network and also one resource which helps in getting credentials of victim machines itself being a modified version of a password dump tool like mimikatz dropped (either 32- or 64-bit version depending on the host) to the %TEMP% folder.

The main component is executed with rundll32 calling the ordinal 1.

On execution NotPetya checks whether the current machine is a workstation or domain controller and if identified as domain controller Notpetya will check DHCP service to retrieve list of terminals having IP addresses under DHCP server subnets. Notpetya uses EternalBlue exploit to spread through the network. Other mechanisms were also observed like using psexec.exe to infect if admin privilege is existing.

NotPetya creates a task schedule to have the victim machine reboot after sometime using the below command

schtasks %ws/Create /SC once /TN “” /TR “%ws” /ST %02d:%0

NotPetya

The encryption used by the malware is AES-128 with RSA. This is different from previous variants, which used SALSA20. The RSA public key used to encrypt the file encryption keys is hardcoded and can be seen below:


The malware also attempts to clear Event logs to hide its traces, by executing the following commands:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

During the infection process, NotPetya overwrites the MBR with a custom boot loader

further implementing a malicious kernel which encrypts the master file table (MFT) so the file system is unreadable.

The result is an unbootable system that demands a ransom to restore it.


The victim is asked to send $300 USD in Bitcoin to a Bitcoin wallet at 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX.

This sample looks for three different types of privileges to perform its actions:


SeShutdownPrivilege

– Required to shutdown the system

SeDebugPrivilege

– A token field that allows the owning process to adjust the memory of other processes on the computer.  This allows any binary to perform system level tasks.

SeTcbPrivilege

– This allows the owning process to act as part of the operating system.

As of today, NotPetya have not really had much success in getting payments in its wallet

NotPetya, as mentioned earlier in this post, does not seem to be focused on revenue or the ransomware characteristics, but possibly more on a targeted cyberattack. NotPetya has taken the Wannacry features ahead with more additions of its own which again proves continuous evolution of malwares.

Indicators of Compromise

Malicious DLL –  027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

Signed psexec – f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5

Related IPs

  • 95.141.115.108
  • 185.165.29.78
  • 84.200.16.242
  • 111.90.139.247
  • 201.76.49.58
  • 50.7.11.122

Related Domains

  • mischapuk6hyrn72.onion/
  • petya3jxfp2f7g3i.onion/
  • petya3sen7dyko2n.onion/
  • mischa5xyix2mrhd.onion/MZ2MMJ
  • mischapuk6hyrn72.onion/MZ2MMJ
  • petya3jxfp2f7g3i.onion/MZ2MMJ
  • petya3sen7dyko2n.onion/MZ2MMJ
  • benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin
  • french-cooking.com/
  • sundanders.online
  • casconut.xyz
  • blumbeerg.xyz
  • insurepol.in
  • whitefoam.org.uk
  • xfusion.co.uk
  • affliates.in
  • chyporus.in
  • coffeinoffice.xyz
  • dantan.club
  • kababmachatu.xyz
  • damodot.xyz
  • ballotvize.xyz

 

1 Comment
  • Posted at 6:55 AM, July 15, 2017

    Thanks for sharing your thoughts on %meta_keyword%. Regards

Post a Comment

Comment
Name
Email
Website