Thursday, October 26, 2017

Updated IOC's - Bad Rabbit Ransomware

A new ransomware worm named "Bad Rabbit" began spreading across the world Last Tuesday (Oct. 24), and it appeared to be a much-modified version of the NotPetya worm that hit eastern Europe in June.

This ransomware attack is most likely hitting computers in Russia and Ukraine, bearing similarities to the NotPetya outbreak that caused billions of pounds of damage in June.

The self-titled “Bad Rabbit” malware encrypts data on infected machines before demanding a payment of 0.05 bitcoin (£250) for the decryption key. The ransom demand is phrased similarly to that of June’s outbreak, and researchers at Russian security firm Kaspersky say that the malware uses “methods similar to those used” during the NotPetya attack.

Briefly about yesterday's events :

  • The initial infection was due to compromised websites and a fake update to Flash Player, which required user interaction to activate and continue exploitation (the user had to confirm the agreement to install the update);
  • Distribution on the local network was done by scanning the internal network for open SMB-open access files, as well as an attempt to use the HTTP-based WebDAV protocol based on HTTP and allowing the use of the Web as a resource for reading and writing;
  • Mimikatz was used to extract user credentials from the memory of an infected PC;
  • Legitimate DiskCryptor software used to encrypt files;
  • Types of file extensions that were encrypted on a user's PC:
#Bad-Rabbit encrypts following files: .dib.disk.djvu.doc.docx.dwg.eml.fdb .odt.ora.ost.ova.ovf.p12.p7b.p7c .tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd

Original Name 
de5c8d858e6e41da715dca1c019df0bfb92d32c0– SHA1
79116fe99f2b421c52ef64097f0f39b815b20907 – SHA1
DLL payload
DiskCryptor Driver (x64)
DiskCryptor Client
16605a4a29a101208457c47ebfde788487be788d – SHA1
Mimikatz (x64)
413eba3973a15c1a6429d9f170f3e8287f98c21c -SHA1
Mimikatz (x32)
DiskCryptor driver x86
DiskCryptor driver x86

C&C servers

Payment site: http://caforssztxqzf2nm[.]onion
Inject URL: http://185.149.120[.]3/scholargoogle/
Distribution URL: hxxp://1dnscontrol[.]com/flash_install.php

Scheduled Tasks names:

In Taskschd.msc, look for and remove these tasks
  • viserion_
  • rhaegal
  • drogon

List of compromised web sites


 Distribution Paths:

  • /flash_install.php
  • /index.php

Intermediary Server:
  • 185.149.120[.]3

Hidden service:
  • caforssztxqzf2nm[.]onion

Kill Switch: to create read-only file C:\windows\infpub.dat. In case of infection files won't be encrypted

Restrict Scheduled Tasks: viserion_, rhaegal, drogon
Make backup of important data
Update operation systems and security systems
Isolate infected PCs
Block IP-addresses and domain names from Indicators list
Block inbound SMB
Use Credential Guard in Windows
Control # of admins
 Monitor scheduled tasks and service creation

No comments:

Post a Comment

Open source Tools for Live Meeting(Web Conferencing)

posts. Guys the most of you find these posts a valuable resource for the e-Learning community. As a result, the following post is Free and Open Source Web Conferencing (Online Meetings, Webinars) Tools for e-Learning.

The following list contains free and open source Web Conferencing tools that are n't in particular order.

Also, you should be sure that the e-Learning community will highly appreciate:

  1. if you post a comment with your experience with these tools and/or,

  2. if you post a comment with a link to any other free and open source Web Conferencing tool.

We support Free eLearning! Do you?

I support Free eLearning

BigBluebutton* is built for Higher Education. It enables universities and colleges to deliver a high-quality learning experience to remote students. BigBlueButton is an active open source project that focuses on usability, modularity, and clean design -- both for the user and the developer. The project is hosted at Google Code. BigBlueButton is built by combining over fourteen open source components.

*note: Epignosis has created a module that provides integration of BigBlueButton conferencing in eFront Open Source Learning Management System. BigBlueButton is a free web-conferencing tool with text chat, audio and video capabilites, a virtual whiteboard and many more presentation and conferencing features.

OpenMeetings is a free browser-based software that allows you to set up instantly a conference in the Web. You can use your microphone or webcam, share documents on a white board, share your screen or record meetings. It is available as hosted service or you download and install a package on your server with no limitations in usage or users.

OpenMeetings Key Features Mini Demo

Mikogo is a free desktop sharing tool full of features to assist you in conducting the perfect online meeting or web conference. Take advantage of the opportunity to share any screen content or application over the Internet in true color quality with up to 10 participants simultaneously, while still sitting at your desk.

Yugma free web conferencing allows anyone, anywhere to instantly share their desktop and ideas online with others. To start hosting your own meetings you have to sign up for FREE. Your Yugma Free web conferencing account allows you to invite up to 20 attendees

Using WebHuddle, you have options and flexibility. Meetings can be conducted either in conjunction with an enterprise’s existing teleconferencing service, or utilizing WebHuddle’s optional voice over IP. WebHuddle also offers recording capabilities -- presentations can easily be recorded for playback over any web browser for those who missed the live meeting.

With Vyew you can give a presentation to a hundred people online or post a document you've been working on for review by your colleagues at the convenience. Vyew is extremely flexible alloying you to bring online collaboration and conferencing into your workflow on your terms.

Dimdim delivers synchronized live presentations, whiteboards and web pages while sharing your voice and video over the Internet - with no download. With the Free edition you can get 10 person meetings, 1 way video, standard support, Dimdim branded rooms, and public meetings.

*note: Epignosis has created a module that provides integration of Dimdim conferencing in eFront  Open Source Learning Management System.

Adobe® ConnectNow is a great way to share ideas, discuss details, and complete work with others all online. Reduce travel costs, save time, and increase productivity with a web conferencing solution that's easy to access and simple to use. ConnectNow operates inside a web browser. There's no installation required, so getting started is easy and Free