BadRabbit ransomware: suggested readings

Spreads via network, currently hits Russia, Ukraine, Germany, Japan, and Turkey

 

A variant of Petya/NotPetya/EternalPetya called BadRabbit and probably prepared by the same authors has infected several big Russian media outlets.

BadRabbit uses SMB to propagate laterally with a hardcoded list of usernames and passwords.

However, unlike NotPetya, it doesn’t use EternalBlue.

Below some suggested readings regarding this threat:


darkreading.com

A wave of ransomware infections is hitting hundreds of government, media, transportation, and other targets in Eastern Europe today mainly in Russia and Ukraine, but also in Bulgaria, Germany, and Turkey.

Among the most high-profile targets thus far are major news outlets such as Russia’s Interfax Agency, and Ukraine’s Kiev Metro, its Odessa International Airport, and ministries of infrastructure and finance.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


us-cert.gov

US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


welivesecurity.com

ESET discovered that in the case of the Kiev Metro, the malware used for the cyberattack was Diskcoder.D, — a new variant of ransomware known also as Petya.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208

infosecurity-magazine.com

BadRabbit was first spotted attacking Russian media outlets on Tuesday, including the news agency Interfax, according to security firm Group-IB, which posted a screenshot of the ransom screen. Other security firms have followed with their own early research and detections, with the consensus being that the malware is a variant of the Petya ransomware.

https://twitter.com/GroupIB_GIB/status/922819835494649856/photo/1

The attackers are demanding 0.05 bitcoin as ransom — or about $280 at the going exchange rate.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


kaspersky.com

According to our findings, the attack doesn’t use exploits. It is a drive-by attack: Victims download a fake Adobe Flash installer from infected websites and manually launch the .exe file, thus infecting themselves.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


malwarebytes.com

Countries we know to be impacted so far are Russia, Ukraine, Turkey, Bulgaria, and Germany, with attacks centered on targets as wide-ranging as infrastructure, transportation, and media outlets.

The dropper is an executable that pretends to be a Flash update. The malware must run with Administration privileges, but no UAC bypass technique has been deployed — it relies purely on social engineering, trying to convince the user to elevate it.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208

 

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


nakedsecurity.sophos.com

If Bad Rabbit infects your computer, it attempts to spread across the network using a list of usernames and passwords buried inside the malware.

These credentials include passwords straight out of a worst passwords list.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


isc.sans.edu

It seems to be delivered via malicious URL as fake flash update:

1dnscontrol[.]com/flash_install.php

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


bloomberg.com

Russian business newswire Interfax suffered a hacker attack that made part of its services unavailable to subscribers, according to a statement Tuesday.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


soursefrontnews.eu

The virus like Petya.A, which hit computers around the world in late June, today, October 24, infected computers of the Kyiv Metro, a source told Front News International.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


securityaffairs.co

A new massive ransomware campaign is rapidly spreading around Europe, the malware dubbed Bad Rabbit has already affected over 200 major organizations mainly in Russia, Ukraine, Germany, Japan, and Turkey in a few hours.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


securityweek.com

Infected computers display a screen informing users that their files have been encrypted and instructing them to access a website over the Tor anonymity network.

The Tor site tells victims to pay 0.05 bitcoin, worth roughly $283, to obtain the key needed to recover the encrypted files.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


thehackernews.com

Bad Rabbit ransomware uses DiskCryptor, an open source full drive encryption software, to encrypt files on infected computers with RSA 2048 keys.

 

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


threatpost.com

The infpub.dat file prominent in today’s attack will also install another malicious executable called dispci.exe.

It creates tasks in the registry to launch the executable; the tasks are named after the dragons in Game of Thrones: Viserion, Drogon and Rhaegal.

There’s also a reference to a Game of Thrones character GrayWorm in the code.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


trendmicro.com

Initial reports peg the main casualties as transport systems and media outlets in Ukraine and Russia. The Ukranian arm of CERT (CERT-UA) has also issued an advisory warning of further potential ransomware attacks.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


Twitter

 

 

 

IlluminateJs: a good Javascript Deobfuscator

Useful during analysis of malicious sites

Yesterday in my twitter stream i’ve seen this tweet by Florian Roth:

During the analysis of a malicious site, one of the first step is the deobfuscation of the suspicious javascript.

There are a lot of tools (online or standalone) that can help the analyst during this step, but IlluminateJs from my point orf view is one of the most complete and accurate.

Consider it like JSDetox, but on steroids.

IlluminateJs core is a Babel compiler plugin and it works entirely in your browser, no server interaction is needed to perform deobfuscation.

Features

  • Extended constant propagation
  • Array mutators tracking
  • Mixed-type expressions evaluation
  • Support modern JavaScript (ES6)
  • Function calls evaluation
  • Built-in function evaluation
  • Loops evaluation
  • Procedure inlining

References

https://illuminatejs.com

Fileless Malware for Dummies

Just some random thoughts about this kind of threat

Some days ago, a non-technical friend asked me some informations about ‘fileless malware’.

Has been pretty difficult to explain this concept to a person lacking a correct security knowledge, so i have make a recap of this talk in a brief article “4Dummies”.

Continue…

Python for malware analysis

Six Python tools useful for identify and analyse malware

Python is a very used scripting language in the field of computer forensics and malware analysis.

Today, we look at some of the tools developed in this scripting language that are useful in the analysis of malicious programs.


pyew

A command line tool to analyse malware, developed by Joxean Koret.
It does have support for hexadecimal viewing and disassembly PE and ELF file formats , follows direct call/jmp instructions in the interactive command line, displays function names and string data references.
It also supports plugins to add more features.


Exefilter

Open-source tool and python framework to filter file formats in e-mails, web pages or files.
Detects many common file formats and can remove active content.


jsunpack-n

A generic JavaScript unpacker: emulates browser functionality to detect exploits that target browser and browser plug-in vulnerabilities.


yara-python

A library that allows using YARA in Python programs.
It covers all YARA’s features, from compiling, saving and loading rules to scanning files, strings and processes.


phoneyc

A ‘pure python’ honeyclient implementation that allows to give insights into malicious web sites, including the exploits on the page and their consequences.


pyClamd

A python interface to Clamd (ClamAV antivirus daemon) useful to add virus detection capabilities to python software.

The software is currently developed and maintained by Alexandre Norman.


Yes, a security researcher saved the world by mistake!

Spread of Wannacry Ransomware has been slowed simply registering a domain name


In these hours everyone is writing something about Wannacry ransomware, often even providing discordant or misleading information.

So if you want more information about the infection, take a look at the links in the ‘References’ section at the bottom of the article, while now I want to tell you the story of the researcher who unknowingly saved the world from a poor quality ransomware and by the same users that not install the security patches on their systems.


Once executed, the WannaCry ransomware does not infect system immediately: reverse engineers found that the dropper first tries to connect a domain, which was initially unregistered:

http://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

If the connection to the above-mentioned domain fails, the dropper proceeds to infect the system and starts encrypting files.

However, if the connection is successful, the dropper does not infect the system with the WannaCry ransomware module: the real purpose of this switch is actually unknown.


Suddenly, an unaware hero comes up to the stage!


A security researcher, tweeting as MalwareTech, registered the strange domain by spending just £10 and accidentally triggering the “kill switch” that can prevent the spread of the WannaCry ransomware, at least for now:


https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Obviously, the response by the cybersecurity community has been enthusiastic:

https://twitter.com/darienhuss/status/863083680528576512/photo/1

Good job, MalwareTech!


References

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Build your own Windows worm in minutes

Really simple-to-use tools, available to everyone!


In this brief video (3′ 14’’), from O’Reilly website, Chad Russell constructs a simple computer worm using one of the well known tools for malware building, “Internet Worm Maker Thing”.

Internet Worm Maker Thing is a free tool by which wich can make many kinds of malware and worms with the ability of infect victim’s drives, files, shows message, disable anti-virus software and much more.


The VBS script can be compiled into executable in order to elude antivirus.

Frightened? Consider that there are a lot of similar tools, for example:

DelMe Virus Maker


DelMe Virus Maker has more features than Internet Worm Maker Thing and a more simple UX.
The generated malware can be saved in VBS format (and after compiled with other tools).

JPS Virus Maker


Similar to previous tools, but with some additional ‘offensive’ features.

And this tools are freely available on internet, with just a simple search on google: any script kiddie (or angry employee) can download one of this application and turn into a threat.

So, update you antivirus/antimalware, always!


References

Chad Russell

Chad Russell is a cyber security veteran of 15 years who has held CISSP, CCNP, MCSE, and MCDBA certifications. Chad has taught Microsoft Engineering courses as a certified trainer, and has acted as a security engineering consultant for companies such as SAP, Microsoft, and Oracle. Currently, Chad conducts security risk assessments for companies throughout North America with an emphasis on cloud security, identity governances, network security, social engineering, mobile security, breach assessments, database security, and access management.

DNSMessenger: a fileless RAT uses DNS queries to receive commands from the C&C

Theoretically invisible to standard anti-malware defenses.


Cisco’s Talos threat research group has recently discovered a new kind of RAT (Remote Access Trojan), called DNSMessenger.

DNSMessenger is completely fileless, it works only in memory and don’t save data on filestystem. 
Furthermore it uses DNS queries to conduct malicious PowerShell commands on compromised computers, a technique that makes it invisible to standard anti-malware defenses.

The malware spreads via a malicious Word document crafted to appear as if it were associated with a secure e-mail service that is secured by McAfee:


Once opened, the document launches a VBA macro to execute a PowerShell script in order to run the backdoor onto the target system.

The backdoor establishes a 2-way communications channel over DNS requests, using DNS TXT records that, by definition, allows a DNS server to attach unformatted text to a response.


The backdoor periodically sends DNS queries to one of a series of domains hard-coded in its source code.


As part of those requests, it retrieves the domain’s DNS TXT record, which contains further PowerShell commands that are executed but never written to the local system.


This malware sample is an excellent example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting.

It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.


More information and technical analysis on original post on Talo’s Blog:

http://blog.talosintelligence.com/2017/03/dnsmessenger.html