After Wannacry and Petya/Not Petya/GoldenEye, it's clear that Ukraine is a testing ground for threat actors to try out their malware, program different variants, and perfect them before launching at their final targets. Today, we have BadRabbit and DiskCoder. When we first read about them, we thought they were two separate malwares. On deeper analysis, they are both the same.
Background
ESET reported that several transportation organizations in Ukraine, as well as some governmental organizations, had suffered a cyberattack resulting in encrypted computers. Public sources confirmed that computer systems in the Kiev Metro, Odessa airport, and a number of organizations in Russia were affected.
They discovered that in the case of the Kiev Metro, the malware used was Diskcoder.D — a new variant of ransomware also known as Petya. The previous variant of Diskcoder was used in a devastating global cyberattack in June 2017.
Bad Rabbit and DiskCoder are the same malware. Win32/Filecoder.D is a modified version of Win32/Diskcoder.C (Not Petya) with encryption bugs fixed and DiskCryptor integration for full drive encryption.
Distribution Method
One of the distribution methods of Bad Rabbit is via drive-by download. Popular websites are compromised and have JavaScript injected into their HTML body or in one of their .js files. T1189
The injected script reports information to 185.149.120[.]3, including:
- Browser User-Agent
- Referrer
- Cookie from the visited site
- Domain name of the visited site
Server-side logic determines if the visitor is of interest. If so, a popup asking to download an update for Flash Player appears. Clicking "Install" initiates a download from 1dnscontrol[.]com. The executable install_flash_player.exe is the dropper for Win32/Filecoder.D.
Propagation via SMB
As opposed to some public claims, Bad Rabbit does not use the EternalBlue vulnerability like Win32/Diskcoder.C (Not-Petya). Instead, it scans the internal network for open SMB shares, looking for: T1021.002
| SMB Shares Targeted | ||
|---|---|---|
admin | atsvc | browser |
eventlog | lsarpc | netlogon |
ntsvcs | spoolss | samr |
srvsvc | scerpc | svcctl |
wkssvc |
Mimikatz is launched on the compromised computer to harvest credentials. T1003.001 A hardcoded list of common usernames and passwords is also embedded in the malware, including default credentials like Administrator, Admin, root, and weak passwords like qwerty, password, and 123456. T1110
Encryption
Win32/Diskcoder.D is a modified version of Win32/Diskcoder.C with bugs in file encryption fixed. The encryption now uses DiskCryptor, an open-source legitimate software for full drive encryption. T1486
Keys are generated using CryptGenRandom and then protected by a hardcoded RSA 2048 public key. Encrypted files have the extension .encrypted. Like before, AES-128-CBC is used for file-level encryption.
The sample metadata uploaded on VirusTotal shows copyright belonging to DiskCryptor, revealing the malware's direct incorporation of the legitimate encryption tool.
Geographic Distribution
ESET telemetry shows that Ukraine accounts for only 12.2% of the total infections. The dropper distribution closely matches compromised websites hosting the malicious JavaScript:
| Country | Infection Rate |
|---|---|
| Russia | 65% |
| Ukraine | 12.2% |
| Bulgaria | 10.2% |
| Turkey | 6.4% |
| Japan | 3.8% |
| Other | 2.4% |
It's interesting to note that all the major companies were hit at the same time. It is possible that the group already had a foothold inside their networks and launched the watering hole attack simultaneously as a decoy.
AV Coverage
As of the morning of the attack, only 9 out of 66 AV companies had signatures for the malware. By end of day, only 27 out of 66 had detection — a concerning gap in coverage that left many organizations exposed.
Indicators of Compromise
1dnscontrol[.]com
an-crimea[.]ru
ankerch-crimea[.]ru
argumenti[.]ru
argumentiru[.]com
caforssztxqzf2nm[.]onion
hxxp://185.149.120[.]3/scholargoogle/
hxxp://1dnscontrol[.]com/flash_install.php
hxxp://blog.fontanka[.]ru
hxxp://www.fontanka[.]ru
hxxp://novayagazeta.spb[.]ru
hxxp://www.grupovo[.]bg
hxxp://www.sinematurk[.]com
16605a4a29a101208457c47ebfde788487be788d
413eba3973a15c1a6429d9f170f3e8287f98c21c
4f61e154230a64902ae035434690bf2b96b4e018
79116fe99f2b421c52ef64097f0f39b815b20907
afeee8b4acff87bc469a6f0364a81ae5d60a2add
de5c8d858e6e41da715dca1c019df0bfb92d32c0
185.149.120[.]3
References
- "Bad Rabbit: Not-Petya is back with improved ransomware," WeLiveSecurity (ESET), October 24, 2017. welivesecurity.com
- "Bad Rabbit," Talos Intelligence Blog, October 24, 2017. talosintelligence.com
- "Threat Brief: Information on Bad Rabbit Ransomware Attacks," Palo Alto Networks, October 2017. paloaltonetworks.com
- "Global ransomware attack causes turmoil," BBC News, October 2017. bbc.com
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts