Another day, another supposedly large scale malware attack. This time it’s called BadRabbit.
- 2017-10-25 : Detection methods (Windows events)
- 2017-10-25 : YARA rules
- 2017-10-25 : Removed spreading via Eternalblue
- 2017-10-25 : Removed Petya link
Based on the information from ESET the malware targets
- transportation organizations
- governmental organizations
- media outlets
- fewer attacks in Ukraine, Turkey and Germany
Delivery (detect and prevent)
The malware is delivered via a fake Adobe Flash update (drive-by attack)
- hxxp://1dnscontrol.com/flash_install.php (block this URL)
- hxxp://1dnscontrol.com/install_flash_player.exe (block this URL)
According to Kaspersky you should block the execution of the files c:\windows\infpub.dat and c:\Windows\cscc.dat. Disable WMI service (if it’s possible in your environment) to prevent the malware from spreading over your network.
Prevention / vaccination tip : instead of blocking execution you can also preventively create the files (infpub.dat and cscc.dat) and remove all permissions (everyone: deny).
Because the malware will also clear the Windows event log and creates scheduled tasks you should look for the Windows events
- 1106 (clear audit log)
- 106 (new task created), with name drogon, rhaegal
Additional indicators are available via https://otx.alienvault.com/pulse/59ef5e053db003162704fcb2/
There is a set of YARA rules available via https://github.com/Neo23x0/signature-base/blob/master/yara/crime_badrabbit.yar
No exploit takes place, the user has to manually download the file (drive-by attack) and confirm execution.
The malware requires elevated privileges to run, and uses a Windows UAC prompt to obtain them.
Once installed via the fake Flash update, it will save C:\Windows\infpub.dat and launch it using rundll32. The malware uses Mimikatz to gather system credentials but also contains a set of hardcoded credentials (full list available via https://pastebin.com/01C05L0C). It will then use these credentials to spread further through the network (via WMIC).
infpub.dat encrypts the files (like typical ransomware), installs dispci.exe and launches it via a scheduled task. dispci.exe (DiskCryptor) is a disk encryptor that also modifies the bootloader, preventing a normal boot process after a restart.
According to Costin Raiu it targets similar file extensions but not entirely identical.
- Vaccination for BadRabbit
- Down the Rabbit Hole: Tracking the BadRabbit Ransomware to a Long Ongoing Campaign of Target Selection
- EternalRomance exploit found in BadRabbit ransomware