BadRabbit malware

BadRabbit

Another day, another supposedly large scale malware attack. This time it’s called BadRabbit.

Updates

  • 2017-10-25 : Detection methods (Windows events)
  • 2017-10-25 : YARA rules
  • 2017-10-25 : Removed spreading via Eternalblue
  • 2017-10-25 : Removed Petya link

Target

Based on the information from ESET the malware targets

  • transportation organizations
  • governmental organizations
  • media outlets
  • Russia
  • fewer attacks in Ukraine, Turkey and Germany

Delivery (detect and prevent)

The malware is delivered via a fake Adobe Flash update (drive-by attack)

  • hxxp://1dnscontrol.com/flash_install.php (block this URL)
  • hxxp://1dnscontrol.com/install_flash_player.exe (block this URL)
  • afeee8b4acff87bc469a6f0364a81ae5d60a2add
  • de5c8d858e6e41da715dca1c019df0bfb92d32c0

According to Kaspersky you should block the execution of the files c:\windows\infpub.dat and c:\Windows\cscc.dat. Disable WMI service (if it’s possible in your environment) to prevent the malware from spreading over your network.

Prevention / vaccination tip : instead of blocking execution you can also preventively create the files (infpub.dat and cscc.dat) and remove all permissions (everyone: deny).

Because the malware will also clear the Windows event log and creates scheduled tasks you should look for the Windows events

  • 1106 (clear audit log)
  • 106 (new task created), with name drogon, rhaegal

Additional indicators are available via https://otx.alienvault.com/pulse/59ef5e053db003162704fcb2/

There is a set of YARA rules available via https://github.com/Neo23x0/signature-base/blob/master/yara/crime_badrabbit.yar

Exploitation

No exploit takes place, the user has to manually download the file (drive-by attack) and confirm execution.

Installation

The malware requires elevated privileges to run, and uses a Windows UAC prompt to obtain them.

Once installed via the fake Flash update, it will save C:\Windows\infpub.dat and launch it using rundll32. The malware uses Mimikatz to gather system credentials but also contains a set of hardcoded credentials (full list available via https://pastebin.com/01C05L0C). It will then use these credentials to spread further through the network (via WMIC).

infpub.dat encrypts the files (like typical ransomware), installs dispci.exe and launches it via a scheduled task. dispci.exe (DiskCryptor) is a disk encryptor that also modifies the bootloader, preventing a normal boot process after a restart.

According to Costin Raiu it targets similar file extensions but not entirely identical.

BadRabbit Mindmap

Source : https://github.com/cudeso/tools/tree/master/badrabbit

Sources

Leave a Reply

Your email address will not be published. Required fields are marked *