Welcome to Smokey's Security Forums.
As a guest you only have limited access to the board and it's features, please consider registering to gain full access!
Registration is free and it only takes a few moments to complete.

Smokey's Security Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

Fileless attacks surge in 2017, security solutions are not stopping them

Fileless attacks are on the rise and are predicted to comprise 35 percent of all attacks next year, according to the Ponemon Institute.

Fileless attacks surge in 2017, security solutions are not stopping them

Malware Log Analysis & Removal Help * Ransomware Encryption & Decrytion Techniques * Official Jetico Inc. Support Forums

Share this topic on FacebookShare this topic on MySpaceShare this topic on RedditShare this topic on TwitterAuthorTopic: Bad Rabbit ransomware  (Read 53 times)

0 Members and 1 Guest are viewing this topic.

ScarlettTopic starter

  • Updates Moderator
  • *
  • Offline Offline
  • location: Cymru
  • Posts: 22592
Bad Rabbit ransomware
« Reply #1 on: October 24, 2017, 11:15:31 PM »
Bad Rabbit ransomware
24 October 2017, 8:16 pm



What happened?

On October 24th we observed notifications of mass attacks with ransomware called Bad Rabbit. It has been targeting organizations and consumers, mostly in Russia but there have also been reports of victims in Ukraine. Here’s what a ransom message looks like for the unlucky victims:



What is bad rabbit?

Bad Rabbit is a previously unknown ransomware family.

How is bad rabbit distributed?

The ransomware dropper was distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure. No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer.

We’ve detected a number of compromised websites, all of which were news or media websites.

Whom does it target?

Most of the targets are located in Russia. Similar but fewer attacks have also been seen in other countries – Ukraine, Turkey and Germany. Overall, there are almost 200 targets, according to the KSN statistics.

Since when does Kaspersky Lab detect the threat?

We have been proactively detecting the original vector attack since it began on the morning of October 24. The attack lasted until midday, although we are still detecting ongoing attacks.

How is it different to ExPetr? Or it is the same malware?

Our observations suggest that this been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack.

Technical details

According to our telemetry, the ransomware is spread via a drive-by attack.

The ransomware dropper is distributed from hxxp://1dnscontrol[.]com/flash_install.php



Also according to our telemetry data, victims are redirected to this malware web resource from legitimate news websites.

The downloaded file named install_flash_player.exe needs to be manually launched by the victim. To operate correctly, it needs elevated administrative privileges which it attempts to obtain using the standard UAC prompt. If started, it will save the malicious DLL as C:\Windows\infpub.dat and launch it using rundll32.



Pseudocode of the procedure that installs the malicious DLL

infpub.dat appears to be capable of brute-forcing NTLM login credentials to Windows machines that have pseudo-random IP addresses.



The hard-coded list of credentials

infpub.dat will also install the malicious executable dispci.exe into C:\Windows and create a task to launch it.



Pseudocode of the procedure that creates the task which launches the malicious executable

What’s more, infpub.dat acts as a typical file encrypting ransomware: it finds the victim’s data files using an embedded extension list and encrypts them using the criminal’s public RSA-2048 key.



The public key of the criminals and the extension list

The criminal’s public key parameters:

Public-Key: (2048 bit)

Modulus:

00:e5:c9:43:b9:51:6b:e6:c4:31:67:e7:de:42:55:

6f:65:c1:0a:d2:4e:2e:09:21:79:4a:43:a4:17:d0:

37:b5:1e:8e:ff:10:2d:f3:df:cf:56:1a:30:be:ed:

93:7c:14:d1:b2:70:6c:f3:78:5c:14:7f:21:8c:6d:

95:e4:5e:43:c5:71:68:4b:1a:53:a9:5b:11:e2:53:

a6:e4:a0:76:4b:c6:a9:e1:38:a7:1b:f1:8d:fd:25:

4d:04:5c:25:96:94:61:57:fb:d1:58:d9:8a:80:a2:

1d:44:eb:e4:1f:1c:80:2e:e2:72:52:e0:99:94:8a:

1a:27:9b:41:d1:89:00:4c:41:c4:c9:1b:0b:72:7b:

59:62:c7:70:1f:53:fe:36:65:e2:36:0d:8c:1f:99:

59:f5:b1:0e:93:b6:13:31:fc:15:28:da:ad:1d:a5:

f4:2c:93:b2:02:4c:78:35:1d:03:3c:e1:4b:0d:03:

8d:5b:d3:8e:85:94:a4:47:1d:d5:ec:f0:b7:43:6f:

47:1e:1c:a2:29:50:8f:26:c3:96:d6:5d:66:36:dc:

0b:ec:a5:fe:ee:47:cd:7b:40:9e:7c:1c:84:59:f4:

81:b7:5b:5b:92:f8:dd:78:fd:b1:06:73:e3:6f:71:

84:d4:60:3f:a0:67:06:8e:b5:dc:eb:05:7c:58:ab:

1f:61

Exponent: 65537 (0x10001)

The executable dispci.exe appears to be derived from the code base of the legitimate utility DiskCryptor. It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine.

An interesting detail that we noticed when analyzing the sample of this threat: it looks like the criminals behind this malware are fans of the famous books & TV show series Game Of Thrones. Some of the strings used throughout the code are the names of different characters from this series.



Dragon names from Game Of Thrones



Character name from Game Of Thrones

Kaspersky Lab experts are working on a detailed analysis of this ransomware to find possible flaws in its cryptographic routines.

Kaspersky Lab corporate customers are also advised to:

make sure that all protection mechanisms are activated as recommended; and that KSN and System Watcher components (which are enabled by default) are not disabled.

update the antivirus databases immediately.

The abovementioned measures should be sufficient. However, as additional precautions we advise the following:

restricting execution of files with the paths c:\windows\infpub.dat and C:\Windows\cscc.dat in Kaspersky Endpoint Security.

configuring and enabling Default Deny mode in the Application Startup Control component of Kaspersky Endpoint Security to ensure and enforce proactive defense against this and other attacks.

Kaspersky Lab products detect this threat with the following verdicts:

Trojan-Ransom.Win32.Gen.ftl

Multi.Generic

PDM:Trojan.Win32.Generic

IOCs:

http://1dnscontrol[.]com/

fbbdc39af1139aebba4da004475e8839 – install_flash_player.exe

1d724f95c61f1055f0d02c2154bbccd3 – C:\Windows\infpub.dat

b14d8faf7f0cbcfad051cefe5f39645f – C:\Windows\dispci.exe

 



Source: Securelist - Information about Viruses, Hackers and Spam

>> To obtain the full Kaspersky Lab Securelist article, click the link in the first post line <<
 

* Permissions
You can't post new topics.
You can't post replies.
You can't post attachments.
You can't modify your posts.
BBCode Enabled
Smilies Enabled
[img] Enabled
HTML Disabled


Except where otherwise stated, all content, graphics, banners and images included © 2006 - 2017 Smokey Services™ -- All rights reserved
Design board graphics, banners and images by Meg&Millie - Emma aka Tinker

This site does not store profiling-, tracking-, third-party and/or any other non-essential cookie(s) on client computers and is fully compliant with the EU ePrivacy Directive
Smokey's does not use any Web Analytics/Analysis Service, and also does not use any browser fingerprinting techniques

    

  

Smokey's also provides free fully qualified FRST (Farbar Recovery Scan Tool) Log / Malware Analysis & Removal Help and System Health Checks
rifle
rifle
rifle
rifle