Thursday, October 26, 2017

Updated IOC's - Bad Rabbit Ransomware



A new ransomware worm named "Bad Rabbit" began spreading across the world Last Tuesday (Oct. 24), and it appeared to be a much-modified version of the NotPetya worm that hit eastern Europe in June.




This ransomware attack is most likely hitting computers in Russia and Ukraine, bearing similarities to the NotPetya outbreak that caused billions of pounds of damage in June.

The self-titled “Bad Rabbit” malware encrypts data on infected machines before demanding a payment of 0.05 bitcoin (£250) for the decryption key. The ransom demand is phrased similarly to that of June’s outbreak, and researchers at Russian security firm Kaspersky say that the malware uses “methods similar to those used” during the NotPetya attack.



Briefly about yesterday's events :

  • The initial infection was due to compromised websites and a fake update to Flash Player, which required user interaction to activate and continue exploitation (the user had to confirm the agreement to install the update);
  • Distribution on the local network was done by scanning the internal network for open SMB-open access files, as well as an attempt to use the HTTP-based WebDAV protocol based on HTTP and allowing the use of the Web as a resource for reading and writing;
  • Mimikatz was used to extract user credentials from the memory of an infected PC;
  • Legitimate DiskCryptor software used to encrypt files;
  • Types of file extensions that were encrypted on a user's PC:
#Bad-Rabbit encrypts following files:
.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der .dib.disk.djvu.doc.docx.dwg.eml.fdb
.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods .odt.ora.ost.ova.ovf.p12.p7b.p7c
.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif .tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd
.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.



Original Name 
256hash
Description
install_flash_player.exe 
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
de5c8d858e6e41da715dca1c019df0bfb92d32c0– SHA1
Dropper
infpub.dat
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
79116fe99f2b421c52ef64097f0f39b815b20907 – SHA1
DLL payload
cscc.dat
0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6
DiskCryptor Driver (x64)
dispci.exe
8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
afeee8b4acff87bc469a6f0364a81ae5d60a2add-SHA1
DiskCryptor Client
xxxx.tmp
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
16605a4a29a101208457c47ebfde788487be788d – SHA1
Mimikatz (x64)
xxxx.tmp
2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035
413eba3973a15c1a6429d9f170f3e8287f98c21c -SHA1
Mimikatz (x32)
cscc.dat
8d63e37aa74ca33a926bec7c7aa8fda0f764ffbb20e8f64bb9c3999b5975f9a6
cscc.dat
page-main.js
4f61e154230a64902ae035434690bf2b96b4e018
JS/Agent.NWC
Ransomware
8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
Ransomware
DiskCryptor driver x86
682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806
DiskCryptor driver x86
Invoice_file_06565.doc
 7217fae6f3634cde7d54eba3858e8958eb1e5e85e2c36d968818cdce75a3fae9
Invoice_file_06565.doc



C&C servers

Payment site: http://caforssztxqzf2nm[.]onion
Inject URL: http://185.149.120[.]3/scholargoogle/
Distribution URL: hxxp://1dnscontrol[.]com/flash_install.php

Scheduled Tasks names:

In Taskschd.msc, look for and remove these tasks
  • viserion_
  • rhaegal
  • drogon


List of compromised web sites


URL
185.149.120.3/scholargoogle/
1dnscontrol.com/flash_install.php
caforssztxqzf2nm.onion
argumentiru.com
www.fontanka.ru
grupovo.bg
www.sinematurk.com
www.aica.co.jp
spbvoditel.ru
argumenti.ru
www.mediaport.ua
blog.fontanka.ru
an-crimea.ru
www.t.ks.ua
most-dnepr.info
osvitaportal.com.ua
www.otbrana.com
calendar.fontanka.ru
www.grupovo.bg
www.pensionhotel.cz
www.online812.ru
www.imer.ro
novayagazeta.spb.ru
i24.com.ua
bg.pensionhotel.com
ankerch-crimea.ru
x90.im
myk104.com
montenegro-today.com
otbrana.com
hercegnovi.me
bahmut.com.ua
ucarsoft.com
pensionhotel.de
tweetlerim.gen.tr
sarktur.com


 Distribution Paths:

  • /flash_install.php
  • /index.php

Intermediary Server:
  • 185.149.120[.]3

Hidden service:
  • caforssztxqzf2nm[.]onion



Defense
Kill Switch: to create read-only file C:\windows\infpub.dat. In case of infection files won't be encrypted

Restrict Scheduled Tasks: viserion_, rhaegal, drogon
Make backup of important data
Update operation systems and security systems
Isolate infected PCs
Block IP-addresses and domain names from Indicators list
Block inbound SMB
Use Credential Guard in Windows
Control # of admins
 Monitor scheduled tasks and service creation

No comments:

Post a Comment