On 24 October, a large-scale campaign of ransomware attacks across Europe, in campaigns that closely mimicked the NotPetya attack from months ago. Just as was the case with NotPetya, the sample appeared to spread through traditional methods of making SMB connections within a corporate environment, such as using local administrative shares and a predefined list of user accounts and passwords.
Magic : PE32 executable for MS Windows (console) Intel 80386 32-bit
Import Hash : 94f57453c539227031b918edd52fc7f1
Compiled Time : Sun Oct 22 02:33:09 2017 UTC
PE Sections (5) : Name Size MD5
.text 72,192 0fa851de532b3dd96e1578a1fe912cea
.rdata 16,896 e69552feb958791e5d7283cd1e9f0b0b
.data 6,656 dc53a4c1670b55450713e13adc573c51
.rsrc 39,936 538045e89d3956ece75779bbffedb57f
.reloc 6,144 664441acad88cda5370381c965d187ab
Analysis is forthcoming, but initial views show that it is a variant of the NotPetya sample. It is not known yet if there is actual code re-use or if simply the tactics and strings were copied from analyzed versions of NotPetya. Just as NotPetya dropped a file named perfc.dat, and called it by an export ordinal value, this BadRabbit will drop a similar file named infpub.dat and call it using an almost identical method.
For instance, in the screenshot below, one routine from this initial BadRabbit is compared to the respective routine in NotPetya, with BadRabbit displayed on the right. There are very striking similarities in code, but also large differences. Notably, there is also a very basic attempt at obfuscation by using a Unicode stack string that resolves to “shutdown /r /t 0”.
The malware also has the ability to clear Windows event logs by using the Windows wevtutil command. This is seen in action as:
One major change seen in this malware, when being compared to NotPetya, is that the core Petya code is no longer present. Instead, the sample will drop the encryption system driver from the known legitimate DiskCryptor application. This sample will drop the encryption driver onto the local system as cscc.dat and then leverage it to perform disk encryption.
The final payment screen, shown over TOR, is insignificant to analysis but does highlight the added effort that adversaries place on making notable brands of malware: