“BadRabbit” Ransomware Hits Businesses Across Europe
Trustlook Labs has investigated a ransomware outbreak dubbed “BadRabbit,” which is sweeping public organizations and businesses such as airports, banks and power utilities in Russia, Ukraine, Turkey and Bulgaria.
The malware is masked as an Adobe Flash player installer when a user clicks and downloads the file from a phishing website. The dropper (MD5: fbbdc39af1139aebba4da004475e8839) drops a DLL module into C:\Windows\infpub.dat, which is the main BadRabbit payload, and runs as C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
0119138A |TEST CX,CX
0119138D \JNZ SHORT BR.01191380
0119138F PUSH 30C ; /BufSize = 30C (780.)
01191394 LEA ECX,DWORD PTR SS:[EBP-61C] ; |
0119139A PUSH ECX ; |Buffer
0119139B CALL DWORD PTR DS:[; \GetSystemDirectoryW
011913A1 TEST EAX,EAX
011913A3 JE BR.01191487
011913A9 PUSH BR.01196CF8 ; /StringToAdd = "\rundll32.exe"
011913AE LEA EDX,DWORD PTR SS:[EBP-61C] ; |
011913B4 PUSH EDX ; |ConcatString
011913B5 CALL DWORD PTR DS:[] ; \lstrcatW
011913BB TEST EAX,EAX
011913BD JE BR.01191487
011913C3 LEA EAX,DWORD PTR SS:[EBP-1258]
011913C9 PUSH EAX ; /Arg1
011913CA LEA ECX,DWORD PTR SS:[EBP-1254] ; |
011913D0 CALL BR.011910C0 ; \BR.011910C0
011913D5 TEST EAX,EAX
011913D7 JE BR.01191487
011913DD MOV ECX,DWORD PTR SS:[EBP-1258]
011913E3 PUSH EBX
011913E4 MOV EBX,DWORD PTR SS:[EBP-1254]
011913EA PUSH ECX ; /Arg1
011913EB CALL BR.01191260 ; \BR.01191260
011913F0 POP EBX
011913F1 TEST EAX,EAX
011913F3 JE BR.01191487
011913F9 LEA EDX,DWORD PTR SS:[EBP-124C]
011913FF PUSH EDX ; /
01191400 PUSH BR.01196D40 ; | = "infpub.dat"
01191405 LEA EAX,DWORD PTR SS:[EBP-61C] ; |
0119140B PUSH EAX ; |
0119140C LEA ECX,DWORD PTR SS:[EBP-C34] ; |
01191412 PUSH BR.01196D58 ; |Format = "%ws C:\Windows\%ws,#1 %ws"
01191417 PUSH ECX ; |s
01191418 CALL DWORD PTR DS:[] ; \wsprintfW
The malware also drops the files “C:\Windows\dispci.exe” and “C:\Windows\cscc.dat”. The malware creates scheduled tasks to execute the file, and the executable will install a malicious bootloader.
6C561077 PUSH DWORD PTR SS:[EBP+8]
6C56107A PUSH EAX
6C56107B LEA EAX,DWORD PTR SS:[EBP-618]
6C561081 PUSH infpub.6C570028 ; UNICODE "schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" -id %u "
6C561086 PUSH EAX
6C561087 CALL DWORD PTR DS:[] ; USER32.wsprintfW
[...]
6C5682BB LEA EAX,DWORD PTR SS:[EBP-658]
6C5682C1 PUSH EAX
6C5682C2 LEA EAX,DWORD PTR SS:[EBP-E58]
6C5682C8 PUSH infpub.6C571820 ; UNICODE "schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00"
6C5682CD PUSH EAX
6C5682CE CALL DWORD PTR DS:[] ; USER32.wsprintfW
6C5682D4 ADD ESP,14
The malware generates a random key by calling “CryptGenRandom”, then encrypts the key with the embedded RSA-2048 pubic key:
The key is then used to encrypt the files on the system with the AES-128 encryption algorithm. The malware encrypts files with the following file extensions:
.3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xml, .xvd, .zip
The malware skips the files under the following directories:
\Windows
\Program Files
\ProgramData
\AppData
The ransom message “Readme.txt” is written in the root of drives.
After the scheduled task reboots the system, the following ransom note is shown on the system:
The malware run “wevtutil” and “fsutil” commands to clean event logs:
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
The malware also attempts to affect the system on the network. It uses the following embedded username/password to do a brute-force login into the other system over SMB.
Usernames:
alex
netguest
superuser
nasadmin
nasuser
nas
ftpadmin
ftpuser
asus
backup
operator
other user
work
support
manager
rdpadmin
rdpuser
rdp
ftp
boss
buh
root
Test
user-1
User1
User
Guest
Admin
Administrator
Passwords:
god
sex
secret
love
321
123321
uiop
zxcv
zxc321
zxc123
zxc
qwerty123
qwerty
qwert
qwer
qwe321
qwe123
qwe
777
77777
55555
111111
password
test123
admin123Test
Admin123
user123
User123
guest123
Guest123
administrato
Administrato
1234567890
123456789
12345678
1234567
123456
12345
1234
123
test
adminTest
user
guest
administrator
Hashes (MD5)
Trustlook Labs has identified the following hashes associated with BadRabbit:
Dropper:
fbbdc39af1139aebba4da004475e8839
Payload:
1d724f95c61f1055f0d02c2154bbccd3 c:\Windows\infpub.dat
b14d8faf7f0cbcfad051cefe5f39645f c:\Windows\dispci.exe
b4e6d97dafd9224ed9a547d52c26ce02 c:\Windows\cscc.dat
Summary
The ability to spread via SMB makes the BadRabbit ransomware particularly destructive, as it can infect systems in the network very quickly and easily. It is further proof that ransomware, with its monetary incentives, continues to be the trend of malware developed by criminal hackers. Thankfully, Trustlook’s antivirus engine can effectively detect ransomware attacks and protect our customers.