Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: BadRabbit: New ransomware wave hitting RU & UA - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
BadRabbit: New ransomware wave hitting RU & UA

About 2 hours ago, reports started to come about a new ransomware wave hitting RU Media agency Interfax, but it is extending to others in both RU and UA
https://www.bloomberg.com/news/articles/2017-10-24/russian-news-agency-interfax-faces-unprecedented-hacker-attack
https://frontnews.eu/news/en/16198
https://twitter.com/GroupIB/status/922818401382346752

It seems to be delivered via malicious URL as fake flash update and then using EternalBlue and Mimikatz for lateral movement and further spreading.

1dnscontrol[.]com/flash_install.php

Discoder/#BadRabbit IOCs as found by ESET:
Dropper:
https://www.virustotal.com/en/file/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da/analysis/
https://www.virustotal.com/en/file/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93/analysis/

There are still lots of speculation though as analysis is early stage, more need to come. At least it's not Friday!

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

466 Posts
ISC Handler
Looking forward to hearing how this one gets in. Macros?
TuggDougins

37 Posts
Quoting TuggDougins:Looking forward to hearing how this one gets in. Macros?


"It seems to be delivered via malicious URL as fake flash update and then using EternalBlue and Mimikatz for lateral movement and further spreading."
Jouser

7 Posts
Here are some pcap about the variant on Java

https://www.dropbox.com/sh/liy3usle2h9lzw7/AABxG2L65hC3sJVzdCHFZHvZa?dl=0

And also the way to detect easly

bubu@val1:~/c++/aiengine/src$ ./aiengine -i /home/bubu/pcapfiles/ratty/ -R -r "^\x05(\x00$|$)" -r "^\x05$" -m
AIEngine running on Linux kernel 4.4.0-92-generic #115-Ubuntu SMP Thu Aug 10 09:04:33 UTC 2017 x86_64
GCC version:5.4.0
Pcap version:libpcap version 1.7.4
Pcre version:8.38
Boost version:1.58
Static memory support:no
[10/27/17 14:02:17] Lan network stack ready.
[10/27/17 14:02:17] Enable NIDSEngine on Lan network stack
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/072d69dc34676d269797afe1c68bc6d65f7e2711519c1bf2f3e7714ee62822f1.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 11 KBytes of memory
Flow:[192.168.56.17:58739:6:134.255.216.114:1234] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/354e763f72eeed01067109bfd74d85c5e31e84ef6024bd8b459040a501e927dc.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory
Flow:[192.168.56.11:52044:6:89.33.16.229:1337] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/3f3f44752da5d546c7acfddf5823307c6c92dc813323cc2fc3f04b98f5519901.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory
Flow:[192.168.56.10:49160:6:88.67.160.102:1188] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/62e9f321ddcaa209cc9e42697a97e0657aed8d6b1eb85035bd74c9c6ecc00295.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 13 KBytes of memory
Flow:[192.168.56.21:62079:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/7f50695e93f855887fb1bfbabdb7bb2994e9b67d1f931f04be41ab5361842d56.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.17:49172:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/f137894ebaa308f62f4f5cfa3c2d1282ea3d474035606848b982a5a79602e279.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.13:52299:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/fa168e58e1e42ae9c95088aec2a262ef8d5700f3241c1135d77f3e3484db1a74.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.13:49166:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
PacketDispatcher(0xbd6b50) statistics
Connected to Lan network stack
Total packets: 9612
Total bytes: 3350895

RegexManager(0xbeabf0)[Generic Regex Manager] Plugged on TCPGenericProtocol
Name:experimental0 Matchs:7 Evaluates:53
Name:experimental1 Matchs:7 Evaluates:23

Exiting process
camp0

4 Posts
Here are some pcap about the variant on Java

https://www.dropbox.com/sh/liy3usle2h9lzw7/AABxG2L65hC3sJVzdCHFZHvZa?dl=0

And also the way to detect easily

bubu@val1:~/c++/aiengine/src$ ./aiengine -i /home/bubu/pcapfiles/ratty/ -R -r "^\x05(\x00$|$)" -r "^\x05$" -m
AIEngine running on Linux kernel 4.4.0-92-generic #115-Ubuntu SMP Thu Aug 10 09:04:33 UTC 2017 x86_64
GCC version:5.4.0
Pcap version:libpcap version 1.7.4
Pcre version:8.38
Boost version:1.58
Static memory support:no
[10/27/17 14:02:17] Lan network stack ready.
[10/27/17 14:02:17] Enable NIDSEngine on Lan network stack
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/072d69dc34676d269797afe1c68bc6d65f7e2711519c1bf2f3e7714ee62822f1.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 11 KBytes of memory
Flow:[192.168.56.17:58739:6:134.255.216.114:1234] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/354e763f72eeed01067109bfd74d85c5e31e84ef6024bd8b459040a501e927dc.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory
Flow:[192.168.56.11:52044:6:89.33.16.229:1337] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/3f3f44752da5d546c7acfddf5823307c6c92dc813323cc2fc3f04b98f5519901.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory
Flow:[192.168.56.10:49160:6:88.67.160.102:1188] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/62e9f321ddcaa209cc9e42697a97e0657aed8d6b1eb85035bd74c9c6ecc00295.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 13 KBytes of memory
Flow:[192.168.56.21:62079:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/7f50695e93f855887fb1bfbabdb7bb2994e9b67d1f931f04be41ab5361842d56.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.17:49172:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/f137894ebaa308f62f4f5cfa3c2d1282ea3d474035606848b982a5a79602e279.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.13:52299:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/fa168e58e1e42ae9c95088aec2a262ef8d5700f3241c1135d77f3e3484db1a74.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.13:49166:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
PacketDispatcher(0xbd6b50) statistics
Connected to Lan network stack
Total packets: 9612
Total bytes: 3350895

RegexManager(0xbeabf0)[Generic Regex Manager] Plugged on TCPGenericProtocol
Name:experimental0 Matchs:7 Evaluates:53
Name:experimental1 Matchs:7 Evaluates:23

Exiting process
camp0

4 Posts

Sign Up for Free or Log In to start participating in the conversation!