My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

BadRabbit: New ransomware wave hitting RU & UA

Published: 2017-10-24. Last Updated: 2017-10-24 16:09:36 UTC
by Xavier Mertens (Version: 1)
4 comment(s)

About 2 hours ago, reports started to come about a new ransomware wave hitting RU Media agency Interfax, but it is extending to others in both RU and UA
https://www.bloomberg.com/news/articles/2017-10-24/russian-news-agency-interfax-faces-unprecedented-hacker-attack
https://frontnews.eu/news/en/16198
https://twitter.com/GroupIB/status/922818401382346752

It seems to be delivered via malicious URL as fake flash update and then using EternalBlue and Mimikatz for lateral movement and further spreading.

1dnscontrol[.]com/flash_install.php

Discoder/#BadRabbit IOCs as found by ESET:
Dropper:
https://www.virustotal.com/en/file/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da/analysis/
https://www.virustotal.com/en/file/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93/analysis/

There are still lots of speculation though as analysis is early stage, more need to come. At least it's not Friday!

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

4 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Comments

Looking forward to hearing how this one gets in. Macros?
[quote=comment#40396]Looking forward to hearing how this one gets in. Macros?[/quote]

"It seems to be delivered via malicious URL as fake flash update and then using EternalBlue and Mimikatz for lateral movement and further spreading."
Here are some pcap about the variant on Java

https://www.dropbox.com/sh/liy3usle2h9lzw7/AABxG2L65hC3sJVzdCHFZHvZa?dl=0

And also the way to detect easly

bubu@val1:~/c++/aiengine/src$ ./aiengine -i /home/bubu/pcapfiles/ratty/ -R -r "^\x05(\x00$|$)" -r "^\x05$" -m
AIEngine running on Linux kernel 4.4.0-92-generic #115-Ubuntu SMP Thu Aug 10 09:04:33 UTC 2017 x86_64
GCC version:5.4.0
Pcap version:libpcap version 1.7.4
Pcre version:8.38
Boost version:1.58
Static memory support:no
[10/27/17 14:02:17] Lan network stack ready.
[10/27/17 14:02:17] Enable NIDSEngine on Lan network stack
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/072d69dc34676d269797afe1c68bc6d65f7e2711519c1bf2f3e7714ee62822f1.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 11 KBytes of memory
Flow:[192.168.56.17:58739:6:134.255.216.114:1234] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/354e763f72eeed01067109bfd74d85c5e31e84ef6024bd8b459040a501e927dc.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory
Flow:[192.168.56.11:52044:6:89.33.16.229:1337] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/3f3f44752da5d546c7acfddf5823307c6c92dc813323cc2fc3f04b98f5519901.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory
Flow:[192.168.56.10:49160:6:88.67.160.102:1188] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/62e9f321ddcaa209cc9e42697a97e0657aed8d6b1eb85035bd74c9c6ecc00295.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 13 KBytes of memory
Flow:[192.168.56.21:62079:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/7f50695e93f855887fb1bfbabdb7bb2994e9b67d1f931f04be41ab5361842d56.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.17:49172:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/f137894ebaa308f62f4f5cfa3c2d1282ea3d474035606848b982a5a79602e279.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.13:52299:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/fa168e58e1e42ae9c95088aec2a262ef8d5700f3241c1135d77f3e3484db1a74.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.13:49166:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
PacketDispatcher(0xbd6b50) statistics
Connected to Lan network stack
Total packets: 9612
Total bytes: 3350895

RegexManager(0xbeabf0)[Generic Regex Manager] Plugged on TCPGenericProtocol
Name:experimental0 Matchs:7 Evaluates:53
Name:experimental1 Matchs:7 Evaluates:23

Exiting process
Here are some pcap about the variant on Java

https://www.dropbox.com/sh/liy3usle2h9lzw7/AABxG2L65hC3sJVzdCHFZHvZa?dl=0

And also the way to detect easily

bubu@val1:~/c++/aiengine/src$ ./aiengine -i /home/bubu/pcapfiles/ratty/ -R -r "^\x05(\x00$|$)" -r "^\x05$" -m
AIEngine running on Linux kernel 4.4.0-92-generic #115-Ubuntu SMP Thu Aug 10 09:04:33 UTC 2017 x86_64
GCC version:5.4.0
Pcap version:libpcap version 1.7.4
Pcre version:8.38
Boost version:1.58
Static memory support:no
[10/27/17 14:02:17] Lan network stack ready.
[10/27/17 14:02:17] Enable NIDSEngine on Lan network stack
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/072d69dc34676d269797afe1c68bc6d65f7e2711519c1bf2f3e7714ee62822f1.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 11 KBytes of memory
Flow:[192.168.56.17:58739:6:134.255.216.114:1234] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/354e763f72eeed01067109bfd74d85c5e31e84ef6024bd8b459040a501e927dc.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory
Flow:[192.168.56.11:52044:6:89.33.16.229:1337] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/3f3f44752da5d546c7acfddf5823307c6c92dc813323cc2fc3f04b98f5519901.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory
Flow:[192.168.56.10:49160:6:88.67.160.102:1188] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/62e9f321ddcaa209cc9e42697a97e0657aed8d6b1eb85035bd74c9c6ecc00295.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 13 KBytes of memory
Flow:[192.168.56.21:62079:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/7f50695e93f855887fb1bfbabdb7bb2994e9b67d1f931f04be41ab5361842d56.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.17:49172:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/f137894ebaa308f62f4f5cfa3c2d1282ea3d474035606848b982a5a79602e279.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.13:52299:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/fa168e58e1e42ae9c95088aec2a262ef8d5700f3241c1135d77f3e3484db1a74.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.13:49166:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
PacketDispatcher(0xbd6b50) statistics
Connected to Lan network stack
Total packets: 9612
Total bytes: 3350895

RegexManager(0xbeabf0)[Generic Regex Manager] Plugged on TCPGenericProtocol
Name:experimental0 Matchs:7 Evaluates:53
Name:experimental1 Matchs:7 Evaluates:23

Exiting process

Diary Archives