My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | British Summer TimeJul 28th - Aug 1st 2025

BadRabbit: New ransomware wave hitting RU & UA

Published: 2017-10-24. Last Updated: 2017-10-24 16:09:36 UTC
by Xavier Mertens (Version: 1)
4 comment(s)

About 2 hours ago, reports started to come about a new ransomware wave hitting RU Media agency Interfax, but it is extending to others in both RU and UA
https://www.bloomberg.com/news/articles/2017-10-24/russian-news-agency-interfax-faces-unprecedented-hacker-attack
https://frontnews.eu/news/en/16198
https://twitter.com/GroupIB/status/922818401382346752

It seems to be delivered via malicious URL as fake flash update and then using EternalBlue and Mimikatz for lateral movement and further spreading.

1dnscontrol[.]com/flash_install.php

Discoder/#BadRabbit IOCs as found by ESET:
Dropper:
https://www.virustotal.com/en/file/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da/analysis/
https://www.virustotal.com/en/file/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93/analysis/

There are still lots of speculation though as analysis is early stage, more need to come. At least it's not Friday!

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Keywords: BadRabbit malware ransomware
4 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | British Summer TimeJul 28th - Aug 1st 2025

Comments

Looking forward to hearing how this one gets in. Macros?

Anonymous

Oct 24th 2017
7 years ago

[quote=comment#40396]Looking forward to hearing how this one gets in. Macros?[/quote]

"It seems to be delivered via malicious URL as fake flash update and then using EternalBlue and Mimikatz for lateral movement and further spreading."

Anonymous

Oct 26th 2017
7 years ago

Here are some pcap about the variant on Java

https://www.dropbox.com/sh/liy3usle2h9lzw7/AABxG2L65hC3sJVzdCHFZHvZa?dl=0

And also the way to detect easly

bubu@val1:~/c++/aiengine/src$ ./aiengine -i /home/bubu/pcapfiles/ratty/ -R -r "^\x05(\x00$|$)" -r "^\x05$" -m
AIEngine running on Linux kernel 4.4.0-92-generic #115-Ubuntu SMP Thu Aug 10 09:04:33 UTC 2017 x86_64
GCC version:5.4.0
Pcap version:libpcap version 1.7.4
Pcre version:8.38
Boost version:1.58
Static memory support:no
[10/27/17 14:02:17] Lan network stack ready.
[10/27/17 14:02:17] Enable NIDSEngine on Lan network stack
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/072d69dc34676d269797afe1c68bc6d65f7e2711519c1bf2f3e7714ee62822f1.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 11 KBytes of memory
Flow:[192.168.56.17:58739:6:134.255.216.114:1234] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/354e763f72eeed01067109bfd74d85c5e31e84ef6024bd8b459040a501e927dc.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory
Flow:[192.168.56.11:52044:6:89.33.16.229:1337] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/3f3f44752da5d546c7acfddf5823307c6c92dc813323cc2fc3f04b98f5519901.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory
Flow:[192.168.56.10:49160:6:88.67.160.102:1188] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/62e9f321ddcaa209cc9e42697a97e0657aed8d6b1eb85035bd74c9c6ecc00295.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 13 KBytes of memory
Flow:[192.168.56.21:62079:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/7f50695e93f855887fb1bfbabdb7bb2994e9b67d1f931f04be41ab5361842d56.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.17:49172:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/f137894ebaa308f62f4f5cfa3c2d1282ea3d474035606848b982a5a79602e279.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.13:52299:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/fa168e58e1e42ae9c95088aec2a262ef8d5700f3241c1135d77f3e3484db1a74.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.13:49166:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
PacketDispatcher(0xbd6b50) statistics
Connected to Lan network stack
Total packets: 9612
Total bytes: 3350895

RegexManager(0xbeabf0)[Generic Regex Manager] Plugged on TCPGenericProtocol
Name:experimental0 Matchs:7 Evaluates:53
Name:experimental1 Matchs:7 Evaluates:23

Exiting process

Anonymous

Oct 27th 2017
7 years ago

Here are some pcap about the variant on Java

https://www.dropbox.com/sh/liy3usle2h9lzw7/AABxG2L65hC3sJVzdCHFZHvZa?dl=0

And also the way to detect easily

bubu@val1:~/c++/aiengine/src$ ./aiengine -i /home/bubu/pcapfiles/ratty/ -R -r "^\x05(\x00$|$)" -r "^\x05$" -m
AIEngine running on Linux kernel 4.4.0-92-generic #115-Ubuntu SMP Thu Aug 10 09:04:33 UTC 2017 x86_64
GCC version:5.4.0
Pcap version:libpcap version 1.7.4
Pcre version:8.38
Boost version:1.58
Static memory support:no
[10/27/17 14:02:17] Lan network stack ready.
[10/27/17 14:02:17] Enable NIDSEngine on Lan network stack
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/072d69dc34676d269797afe1c68bc6d65f7e2711519c1bf2f3e7714ee62822f1.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 11 KBytes of memory
Flow:[192.168.56.17:58739:6:134.255.216.114:1234] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/354e763f72eeed01067109bfd74d85c5e31e84ef6024bd8b459040a501e927dc.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory
Flow:[192.168.56.11:52044:6:89.33.16.229:1337] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/3f3f44752da5d546c7acfddf5823307c6c92dc813323cc2fc3f04b98f5519901.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory
Flow:[192.168.56.10:49160:6:88.67.160.102:1188] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/62e9f321ddcaa209cc9e42697a97e0657aed8d6b1eb85035bd74c9c6ecc00295.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 13 KBytes of memory
Flow:[192.168.56.21:62079:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/7f50695e93f855887fb1bfbabdb7bb2994e9b67d1f931f04be41ab5361842d56.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.17:49172:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/f137894ebaa308f62f4f5cfa3c2d1282ea3d474035606848b982a5a79602e279.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.13:52299:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
[10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/fa168e58e1e42ae9c95088aec2a262ef8d5700f3241c1135d77f3e3484db1a74.pcap
[10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory
Flow:[192.168.56.13:49166:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0]
PacketDispatcher(0xbd6b50) statistics
Connected to Lan network stack
Total packets: 9612
Total bytes: 3350895

RegexManager(0xbeabf0)[Generic Regex Manager] Plugged on TCPGenericProtocol
Name:experimental0 Matchs:7 Evaluates:53
Name:experimental1 Matchs:7 Evaluates:23

Exiting process

Anonymous

Oct 27th 2017
7 years ago

Login here to join the discussion.


Top of page
Diary Archives