Threat Spotlight: Bad Rabbit Ransomware

Introduction

After the very public Petya-Like attack that occurred in June, a new and remarkably similar ransomware has been observed spreading in the wild throughout Russia, Ukraine, and several other countries. Bad Rabbit, as it is known, was initially spread via drive-by downloads, but also contains the ability to propagate via SMB, as well as encrypting files and preventing an infected system from booting properly.

Impact

Bad Rabbit is a nasty ransomware in that it not only modifies files, but also the underlying filesystem and master boot record (MBR). It will harvest credentials using Mimikatz and attempt brute-force logins to propagate using SMB. Once it is active within an organization it will typically spread successfully and rapidly, rendering the system completely inoperable in the process.

Technical Analysis

Overview

The malware comprises a dropper that drops and executes the main payload DLL, which also contains several additional components:

  • Dropper (install_flash_player.exe)
  • Main payload DLL (infpub.dat)
  • Ransomware component (dispci.exe)
  • Mimikatz for x86 and x64
  • Legitimate DiskCryptor drivers for x86 and x64 (C:Windowscscc.dat)

Dropper

The dropper is a fake Adobe Flash installer (“install_flash_player.exe”,
SHA256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da). In an attempt to evade detection by antivirus products, the executable has been signed using a digital certificate borrowed from another (legitimate) executable.

Checking the file properties, we can immediately see it’s invalid:

Figure 1. Invalid file signing on the dropper

The manifest directives embedded within the executable cause Windows to request elevated runtime privileges. The failed validation causes the “Publisher” field on the UAC consent dialog to show as “Unknown”. Tools such as SigThief make it trivial to splice a certificate onto an executable or DLL.

Figure 2. Unknown publisher in UAC dialog

Once active, the first task is to decompress the 371,619 bytes of overlay data using zlib 1.2.8. (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog