Technical analysis of Bad Rabbit Ransomware

2017 has already seen huge impact of ransomware outbreaks, namely Wannacry and NotPetya and as we come close to the end of the year, another one adds to the list. Bad Rabbit, named such because the authors named the page such where they demand the ransom alongwith bitcoin details

 

Bad Rabbit page

Early infection reports suggest the target geographical region to be mostly Russia and Ukraine, with scattered reports around Turkey, Bulgaria, Poland and South Korea. Notable disruptions include major Russian news publishers and in Ukraine, Odessa airport, Kiev Metro and Ministry of Infrastructure.

Interfax issued a public notice –  “Interfax Group‘s servers have come under a hacker attack. The technical department is taking all measures to resume news services. We apologize for inconvenience.”

Source of Infection

Sequretek Malware Lab found out that there is more than one way Bad Rabbit lands in a victim’s machine. The malware is downloaded as a fake Adobe Flash Update from multiple hacked media websites. The spreading mechanism does not rely only on downloads but also lateral infection through exploitation of SMB shares on infected network. Bad Rabbit uses Mimikatz to get login credentials from the computer’s memory and it even has hardcoded passwords that it uses to penetrate vulnerable systems

Technical Analysis

Bad Rabbit comes as a dropper pretending to be a Flash Update and has three main components.

  1. Infpub.dat – Main DLL component
  2. CSCC.dat – Legitimate driver for encryption from Diskcryptor application
  3. Dispci.exe – Bootlocker component

Bad Rabbit Execution Flow

Bad Rabbit must be run with Admin privileges, and on execution drops the above mentioned components in %windir%. Similar to NotPetya ( perfc.dat) , Bad Rabbit depends on the main component named as Infpub.dat which is run by rundll32.exe called with parameters shown below.

Bad Rabbit Entrypoint

“C:\\Windows\\system32\\rundll32.exe C:\\Windows\\infpub.dat,#1 15″

Immediately, two tasks are created one for forced reboot and the other to perform the bootlock function.

Bad Rabbit Scheduled Tasks

There are visible mentions of Game Of Thrones characters namely, Drogon, Rhaegal, Viserion , Grayworm etc, in code and also scheduled task names.

Bad Rabbit Bootlock

Bad Rabbit has two stages of encryption, again similar to NotPetya, the first being encryption of the contents of the filetypes shown below, and the second one is the bootlock on reboot. The first stage of file encryption shows no added extension but an appended string “encrypted” in Unicode in the file system.

Bad Rabbit Encrypted File

A readme.txt file is dropped in desktop and sometimes in root directory, which contains ransom related information along with unique personal key. It seems Bad Rabbit is using multiple bitcoin addresses for collection of ransom as Sequretek Malware Lab found mention of atleast three such addresses. These bitcoin addresses are shown when the personal key is provided at the ransom collection page.

Bad Rabbit ReadMe

Bad Rabbit Key Input Information

The file extensions targeted to be encrypted and the public key of the Bad Rabbit themselves is hardcoded as seen below

Extensions and Public Key

As mentioned earlier, the list of hardcoded passwords that Bad Rabbit checks to penetrate into network systems can be also found out

Hardcoded Passwords

Analysing the bootlocker resource of Bad Rabbit, Sequretek Malware Lab understood there are low level components installed directly to the disk. The first resource is shown which resembles the bootloader.

Bootlocker Resource

Mitigation

Bad Rabbit can be prevented to execute and spread in a similar way that of NotPetya by not allowing the main components to do its job.

– Disable WMI service if possible

– Block the execution of files %windir%\infpub.dat and %windir%\cscc.dat.

where  %windir% = c\windows or the Windows directory of the machine.

– Do not pay ransom or any amount as it will only encourage the malware authors

Conclusion

Ransomwares have always been evolving and come a long way from just scare tactics and holding ransom to multiple evasion and propagation techniques. Ransomwares have kept one thing common and that is keeping themselves quite sophisticated and have shown increasing complications. WannaCry was one of the first ransomware to bring worm like capabilities, and it seems Bad Rabbit has evolved from NotPetya to be one of its first kind of ransomware to bring bootlocking capabilities and successful decryption process. We found atleast one instance which successfully decrypted on providing the correct key https://twitter.com/antonivanovm/status/922944062935707648 .

Bad Rabbit shows no sign of ransomwares stopping but as always anti malware industry keeps a step ahead in making sure end users remain secured.

No Comments

Post a Comment

Comment
Name
Email
Website