{"id":85030,"date":"2017-10-25T14:16:53","date_gmt":"2017-10-25T08:46:53","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=85030"},"modified":"2017-10-27T13:47:00","modified_gmt":"2017-10-27T08:17:00","slug":"bad-rabbit-ransomware-outbreak-analysis-quick-heal-security-labs","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/bad-rabbit-ransomware-outbreak-analysis-quick-heal-security-labs\/","title":{"rendered":"Another Ransomware Outbreak! This time it\u2019s Bad Rabbit"},"content":{"rendered":"<p>The recent Bad Rabbit ransomware outbreak is currently making headlines. This post outlines the analysis of the ransomware by Quick Heal Security Labs.<\/p>\n<p><strong>According to our telemetry, we have not seen any Bad Rabbit ransomware infection on our customer\u2019s machines so far. <\/strong><\/p>\n<p><strong>Propagation technique<br \/>\n<\/strong>Bad Rabbit is distributed via a drive-by-download attack from the below URL<\/p>\n<p><em>hxxp:\/\/1dnscontrol[.]com\/flash_install.php<\/em><\/p>\n<p>The payload is pretending to be a bogus Adobe Flash Player update named as \u201cinstall_flash_player.exe\u201d. The ransomware escalates itself to the administrative privilege using UAC prompt. Further, it drops \u2018C:\\Windows\\infpub.dat\u2019 which is actually a DLL file executed through \u2018rundll32.exe\u2019 as seen in the execution flow below.<\/p>\n<p><strong>Execution flow<\/strong><\/p>\n<figure style=\"width: 1057px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-85031 size-full\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-1.png\" alt=\"bad-rabbit-1\" width=\"1057\" height=\"171\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-1.png 1057w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-1-300x49.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-1-768x124.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-1-650x105.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-1-789x128.png 789w\" sizes=\"(max-width: 1057px) 100vw, 1057px\" \/><figcaption class=\"wp-caption-text\">Fig 1. Execution flow<\/figcaption><\/figure>\n<p><strong>Dropped artifacts\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong><\/p>\n<p>Bad Rabbit ransomware drops multiple artifacts which are named after the dragons in the popular TV series called Game of Thrones.<\/p>\n<ul>\n<li>C:\\Windows\\infpub.dat\n<ul>\n<li>C:\\Windows\\System32\\Tasks\\drogon<\/li>\n<li>C:\\Windows\\System32\\Tasks\\rhaegal<\/li>\n<li>C:\\Windows\\cscc.dat<\/li>\n<li>C:\\Windows\\dispci.exe<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Below is the screenshot of the code from the ransomware to use \u2018rundll32.exe\u2019 to execute \u2018infpub.dat\u2019.<\/p>\n<figure id=\"attachment_85032\" aria-describedby=\"caption-attachment-85032\" style=\"width: 877px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-85032\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-2.png\" alt=\"Fig 2. Infpub.dat creation code snippet\" width=\"877\" height=\"511\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-2.png 877w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-2-300x175.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-2-768x447.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-2-650x379.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-2-789x460.png 789w\" sizes=\"(max-width: 877px) 100vw, 877px\" \/><figcaption id=\"caption-attachment-85032\" class=\"wp-caption-text\">Fig 2. Infpub.dat creation code snippet<\/figcaption><\/figure>\n<p>The<strong> \u2018infpub.dat\u2019<\/strong> drops a malicious executable \u2018dispci.exe\u2019 at \u2018C:\\Windows\u2019 which is responsible for Disk Encryption.<\/p>\n<p>The<strong> \u2018infpub.dat\u2019<\/strong> creates two tasks with names \u2018drogon\u2019 which is used to force restart the system and \u2018rhaegal\u2019 which is used to start a program at startup.<\/p>\n<figure id=\"attachment_85033\" aria-describedby=\"caption-attachment-85033\" style=\"width: 535px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-85033\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-3.png\" alt=\"Fig 3. Drogon task properties \" width=\"535\" height=\"184\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-3.png 535w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-3-300x103.png 300w\" sizes=\"(max-width: 535px) 100vw, 535px\" \/><figcaption id=\"caption-attachment-85033\" class=\"wp-caption-text\">Fig 3. Drogon task properties<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_85034\" aria-describedby=\"caption-attachment-85034\" style=\"width: 573px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-85034\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-4.png\" alt=\"Fig 4: Rhaegal task properties\" width=\"573\" height=\"181\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-4.png 573w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-4-300x95.png 300w\" sizes=\"(max-width: 573px) 100vw, 573px\" \/><figcaption id=\"caption-attachment-85034\" class=\"wp-caption-text\">Fig 4: Rhaegal task properties<\/figcaption><\/figure>\n<p>Infpub.dat is also responsible for file encryption using a shared public RSA-2048 key of the attacker for the list of file extensions as seen below.<\/p>\n<figure id=\"attachment_85035\" aria-describedby=\"caption-attachment-85035\" style=\"width: 911px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-85035\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-5.png\" alt=\"Fig 5. RSA Key and file extensions \" width=\"911\" height=\"395\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-5.png 911w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-5-300x130.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-5-768x333.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-5-650x282.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-5-789x342.png 789w\" sizes=\"(max-width: 911px) 100vw, 911px\" \/><figcaption id=\"caption-attachment-85035\" class=\"wp-caption-text\">Fig 5. RSA Key and file extensions<\/figcaption><\/figure>\n<p>The dropped file \u2018dispci.exe\u2019 uses version information from a genuine DiskCryptor utility which is responsible for MBR infection which stops the boot-up process of the affected system until the ransom is paid as shown in the image below.<\/p>\n<figure id=\"attachment_85036\" aria-describedby=\"caption-attachment-85036\" style=\"width: 709px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-85036\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-6.png\" alt=\"Fig 6. Ransom note \" width=\"709\" height=\"417\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-6.png 709w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-6-300x176.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-6-650x382.png 650w\" sizes=\"(max-width: 709px) 100vw, 709px\" \/><figcaption id=\"caption-attachment-85036\" class=\"wp-caption-text\">Fig 6. Ransom note<\/figcaption><\/figure>\n<p><strong>How it spreads in the network <\/strong><\/p>\n<p>The \u2018<strong>infpub.dat\u2019<\/strong> tries to brute-forces login credentials using hard-coded credentials and also uses Mimikatz module to extract NTLM credentials from the system memory. These credentials are used to access other network workstations and server on the same network via SMB and WebDAV.<\/p>\n<figure id=\"attachment_85037\" aria-describedby=\"caption-attachment-85037\" style=\"width: 1117px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-85037\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-7.png\" alt=\"Fig 7. SMB share enumeration\" width=\"1117\" height=\"302\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-7.png 1117w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-7-300x81.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-7-768x208.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-7-650x176.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-7-789x213.png 789w\" sizes=\"(max-width: 1117px) 100vw, 1117px\" \/><figcaption id=\"caption-attachment-85037\" class=\"wp-caption-text\">Fig 7. SMB share enumeration<\/figcaption><\/figure>\n<figure id=\"attachment_85038\" aria-describedby=\"caption-attachment-85038\" style=\"width: 1115px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-85038\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-8.png\" alt=\"Fig 8: SMB login \u2013 Brute force \" width=\"1115\" height=\"305\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-8.png 1115w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-8-300x82.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-8-768x210.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-8-650x178.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-8-789x216.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-8-304x84.png 304w\" sizes=\"(max-width: 1115px) 100vw, 1115px\" \/><figcaption id=\"caption-attachment-85038\" class=\"wp-caption-text\">Fig 8: SMB login \u2013 Brute force<\/figcaption><\/figure>\n<p><strong>Similarities between Bad Rabbit ransomware and NotPetya ransomware<\/strong><\/p>\n<ul>\n<li>Drops DLL files in Windows folder with \u2018.dat\u2019 extension and executes it using \u2018rundll32.exe\u2019 with ordinal 1 (#1).<\/li>\n<li>Use of \u2018MimiKatz\u2019 module for extraction of NTLM credentials<\/li>\n<li>Uses schedule task to restart system using \u2018shutdown.exe\u2019<\/li>\n<li>Displays a similar ransom note after MBR infection<\/li>\n<li>Uses WMI and SMB for spreading across network<\/li>\n<\/ul>\n<p>Although both the ransomware share quite a lot of similarities, Bad Rabbit is not a wiper.<\/p>\n<p><strong>Indicators of compromise<\/strong><\/p>\n<table width=\"0\">\n<tbody>\n<tr>\n<td width=\"464\"><strong>SHA256<\/strong><\/td>\n<td width=\"240\"><strong>Filename<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"464\">630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da<\/td>\n<td width=\"240\">install_flash_player.exe<\/td>\n<\/tr>\n<tr>\n<td width=\"464\">8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93<\/td>\n<td width=\"240\">dispci.exe<\/td>\n<\/tr>\n<tr>\n<td width=\"464\">579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648<\/td>\n<td width=\"240\">infpub.dat<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Malicious URLs<\/strong><\/p>\n<ul>\n<li>https:\/\/1dnscontrol[.]com<\/li>\n<li>https:\/\/1dnscontrol[.]com\/flash_install.php<\/li>\n<\/ul>\n<p><strong>Quick Heal Detection<\/strong><\/p>\n<ul>\n<li>Trojanransom.Gen<\/li>\n<li>Ransom.Tibbar<\/li>\n<li>Ransom.BadRabbit.A5<\/li>\n<li>Ransom.BadRabbit.B5<\/li>\n<li>Ransom.BadRabbit.C5<\/li>\n<li>Ransom.Badrabbit.PB5<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-85039\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-9.png.jpg\" alt=\"bad-rabbit-9-png\" width=\"293\" height=\"162\" \/> <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-85040\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/10\/Bad-Rabbit-10.png.jpg\" alt=\"bad-rabbit-10-png\" width=\"294\" height=\"160\" \/><\/p>\n<p><strong>How to stay safe<\/strong><\/p>\n<ul>\n<li>Never download software from pop-up ads or websites that don&#8217;t belong to the software vendor (in this case \u2013 Adobe).<\/li>\n<li>Never click on links or download attachments that arrive in emails from unwanted, unknown or unexpected sources.<\/li>\n<li>Apply all recommended security updates for Operating System and programs like Adobe, JAVA, Web browsers, etc.<\/li>\n<li>Take regular backups of your important data in secure online and offline locations.<\/li>\n<li>Use a <a href=\"https:\/\/bit.ly\/2ncPU26\" target=\"_blank\">layered security software<\/a> and keep it updated.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>Subject Matter Experts<\/strong><\/p>\n<p>Anita Ladkat, Shantanu Vichare, Prashil Moon, Shriram Munde, Prakash Galande | Quick Heal Security Labs<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The recent Bad Rabbit ransomware outbreak is currently making headlines. This post outlines the analysis of the ransomware by Quick Heal Security Labs. According to our telemetry, we have not seen any Bad Rabbit ransomware infection on our customer\u2019s machines so far. Propagation technique Bad Rabbit is distributed via a drive-by-download attack from the below [&hellip;]<\/p>\n","protected":false},"author":29,"featured_media":85043,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[910],"tags":[1516,1515],"class_list":["post-85030","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ransomware","tag-adobe-installer","tag-bad-rabbit-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85030"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=85030"}],"version-history":[{"count":8,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85030\/revisions"}],"predecessor-version":[{"id":85059,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85030\/revisions\/85059"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/85043"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=85030"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=85030"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=85030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}