Since the outbreak of Petya/NotPetya which was surfaced in the month of June, again last week a new ransomware attack “aka BadRabbit” is making the headlines effecting machines in Ukraine, Russia, Turkey and Bulgaria.
Initial Attack Vector:
Unlike Petya/NotPetya that use SMB (Eternal Blue) as the initial vector, this variant uses drive-by-download type of attack to deliver the malware (BadRabbit) that spreads via malicious websites.
- Diskcryptor to encrypt the files with selected extensions
- SCmanager, schtasks and rundll32.exe to invoke other components
- For lateral movement, it scans the local networks for SMB shares and spread via SMB
- Mimikatz for credential harvesting on compromised machine
|fbbdc39af1139aebba4da004475e8839||Adobe_Flash_Update – Dropper|
|1d724f95c61f1055f0d02c2154bbccd3||infpub.dat – Main DLL|
|b4e6d97dafd9224ed9a547d52c26ce02||cscc.dat – Driver for Encryption|
|b14d8faf7f0cbcfad051cefe5f39645f||dispci.exe – DiskCryptor Client|
Once downloaded, the executable dropper pretending to an Adobe Flash Update convincing the victim to install it
Upon execution it drops the main module DLL “infpub.dat” in “C:\Windows” directory that is further initiated by rundll.exe with arguments.
Executes the command “schtasks /Delete /F /TN rhaegal” to delete any existing tasks with name “rhaegal”.
During the execution of main DLL “infpub.dat” other components (cscc.dat, dispci.exe) responsible for encrypting are being dropped.
To launch the newly dropped components of diskcryptor “dispci.exe” on the startup, a new task is scheduled with name “rhaegal”.
New service named “cscc” is created for DiskCryptor Driver “cscc.dat”.
Schedules a task named “drogon” to forcefully reboot the machine at 04:46hrs, it appears that a reboot is required to install the DiskCryptor drivers.
BadRabbit encrypts only selected file extension as below and display ransom note.
Abuse use of APIs:
To perform credential harvesting, it creates and loads mimikatz to a file with extension “.tmp” (xxxx.tmp) in “C:\Windows\” and initiates a new process from the temp file “495E.tmp” with pipe.
Noticed that the malware scans the local network for ports 139, 445 and spreads via SMB shares with credentials harvested using mimikatz.