BadRabbit launched on the morning of Tuesday, October 24, 2017 was delivered through drive-by downloads of the fake Adobe Flash Player installer from the hacked websites. The installer came undetected with a Symantec digital certificate and 1 out of 65 detection rate on VirusTotal. The Bad Rabbit ransomware having the similar set of features and code snippets to the NotPetya wiper can be considered like its new version supposedly created by the same author. In the new version, the legitimate DiskCryptor driver used to install the bootloader and encrypt the hard disk volumes in a hidden way.
- The BadRabbit is a new version of NotPetya, supposedly written by the same author;
- It's a cryptolocker - you can unlock the computer and decrypt the data only by paying 0.05 BTC;
- This is not a targeted attack, unlike NotPetya
- The BadRabbit is distributed over the local network using the EternalRomance vulnerability in SMB1, WMI, WebDAV, brute-force with simple passwords through NTLMSSP
- The BadRabbit uses the legitimate DiskCryptor driver
The installer’s description says it is an Adobe Flash Player Installer/Uninstaller (MD5: fbbdc39af1139aebba4da004475e8839).
The dropper has a valid certificate from Symantec but the wrong signature.
The following files are dropped:
- cscc.dat (32-bit MD5: edb72f4a46c39452d1a5414f7d26454a, 64-bit MD5: B4E6D97DAFD9224ED9A547D52C26CE02) - the legitimate DiskCryptor driver used for the disk encryption (diskcryptor.net) by the manager dispci.exe. It is installed as a service named cscc’
- dispci.exe (MD5: b14d8faf7f0cbcfad051cefe5f39645f) - communicates with the DiskCryptor driver cscc.dat (a.k.a. dcrypt.sys) by sending the DeviceIOControl Control codes to infect MBR and encrypt disk volumes. For example:
- Infpub.dat (MD5: 1d724f95c61f1055f0d02c2154bbccd3) - the DLL is responsible for file encryption and network propagation (the code based on the NotPetya’s ‘perfc.dat’ payload)
- Mimikatz (32 bit MD5: 37945c44a897aa42a66adcab68f560e0, 64 bit MD5: 347AC3B6B791054DE3E5720A7144A977) - is dropped as a .tmp file in the Windows folder and used to harvest logins and passwords through the named pipe to BadRabbit similar to NotPetya. Mimikatz is sent the name of the pipe as a parameter:
The BadRabbit will not start if the ‘cscc.dat’ file is in the Windows folder.
Tо start encrypting files, the dropper loads the dropped dll in the similar way as NotPetya was executed by the MEDoc backdoor (“C:\Windows\system32\rundll32.exe C:\Windows\perfc.dat,#1 30”):
“C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15”
BadRabbit schedule a system reboot in several minutes.
C:\WINDOWS\system32\shutdown.exe /r /t 0 /f
On reboot, it starts the payload in the console under the ‘SYSTEM’ account as follows:
“C:\Windows\dispci.exe” -id 3110397262 && exit
C:\WINDOWS\system32\cmd.exe /C Start "" "C:\Windows\dispci.exe" -id 3288954816 && exit
If the task with the same name exists, BadRabbit deletes it.Then creates a new one.
The manager dispci.exe contains MBR and two versions of kernels (kernel 1 - 21162 and kernel 2 - 16718 bytes) as resources.
On the right, the deployed kernel already has the generated installation key#1:
Analysis of infpub.dat
Infpub.dat is a dll with exported functions. BadRabbit starts the first exported function. The second one is designed to run the first one, providing the input parameter as the BadRabbit dropper does.
The process gets the following privileges:
- SeShutdownPrivilege - allows an attacker to shut down the local computer.
- SeDebugPrivilege - allows an attacker to access and modify the target process memory.
- SeTcbPrivileges - allows a process to authenticate like a user and thus gain access to the same resources as a user.
The Bad Rabbit ransomware checks for the following running processes of DrWeb and MacAfee:
To do that, it calculates the hash using XOR and decrement operations in the similar way that NotPetya did.
The difference is in the XOR key. The Bad Rabbit has “87654321h” while NotPetya - “12345678h”.
Once the BadRabbit detects McAffee or DrWeb processes, it drops cscc.dat in %ALLUSERSPROFILE% folder and does not encrypt files. Otherwise, cscc.dat is dropped to the Windows folder.
BadRabbit (infpub.dat) tries to propagate itself in a local network using the following methods:
- HTTP WebDAV
- Bruteforcing via NTLMSSP
- Similar to the EternalRomance exploit
Bruteforcing via NTLMSSP
BadRabbit tries to connect to a remote computer via SMB/NetBios NTLMSSP using the hardcoded list of logins and passwords.
The Bad Rabbit ransomware is equipped with the EternalRomance exploit. To detect the vulnerability, the Bad Rabbit supposedly uses the Metasploit code for MS17-010 SMB RCE detection.
It connects to the IPC$ tree on hosts in a local network using the default ‘FileID = 0’ during the first run and the following file names:
If the service is not vulnerable, it returns “STATUS_ACCESS_DENIED” or “STATUS_INVALID_HANDLE”. Otherwise, the status will be “STATUS_INSUFF_SERVER_RESOURCES”.
It tries to upload its files to the admin$ share on hosts in a local network using wmic.exe
The file encryption is done with AES-128-CBC using the Microsoft Cryptographic Provider. The AES key is encrypted using the hardcoded RSA-2048 public key.
The files with the following extensions are encrypted:
The list of folders where BadRabbit does not encrypt files:
- Program Files
The Bad Rabbit ransomware encrypts file and adds wide char “encrypted” text to the very end of the file:
The file encryption function:
The Bad Rabbit creates the ‘DECRYPT.lnk’ file on the Desktop with the execution path to ‘dispci.exe’:
Once executed, it shows the following message:
When the file encryption is completed by the ‘infpub.dat’ module, it shows the installation key#2:
In the root of the C drive, it leaves the Readme.txt with instructions with the key#2 needed to decrypt files:
After the scheduled reboot, the BadRabbit bootloader starts and locks the computer showing the installation key #1 needed to decrypt volumes and unlock the boot:
The website is in the Tor network and contains the fancy animation:
Similar to NotPetya, the Bad Rabbit ransomware to wipe its own traces from the Event Log, runs the following command:
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %SYSTEMDRIVE%
Based on the analysis above, we can state with high confidence that the Bad Rabbit’s ‘infpub.dat’ module is based on NotPetya source code and is a new version of it. Consequently, the Bad Rabbit ransomware is written by the same author who is financially driven in the current attack. Based on the geographical diversity of the victims reported by Kaspersky Lab, we can suggest that it is not a nation-state attack. However, in the future, we can expect a new version, which can be used to attack the critical infrastructure of some state.
The PCAP traffic and the tool to find the blacklisted process names is available on Github: https://github.com/AlexanderAda/NioGuardSecurityLab/tree/master/RansomwareAnalysis/BadRabbit