The BadRabbit server-side ransomware was first seen on October 24, 2017, and has mainly been confined to Russia and Ukraine. The initial vector has been noted to be drive-by download where the victim visits a compromised site and downloads the malicious executable that is masquerading as a flash player update. Additionally, it will attempt to propagate to remote machines within the network using two methods (a WebDAV request to transfer the files to a remote system or traversing SMB shares to accomplish the same task). Successful detonation of this ransomware encrypts the user’s files and can potentially affect other systems within the network.
Exploitation
Stages
- The victim visits the website that has been compromised by a malicious user; a pop-up occurs asking to download an update for the flash player.
- The user downloads the flash update to their system and runs the malware as administrator. This creates the main dropper infpub.dat.
- The DAT file infpub.dat carries out several important tasks, such as:
- Scheduling tasks
- Creating service
- Creating webservers
- Creating dispic.exe and cscc.dat (diskcryptor client and diskcryptor driver)
- Beginning lateral movement to propagate (enumerates IPs in local network, creates Mimikatz, and pipes)
- Encrypting the files on the server; the system will restart and display a ransom message and an onion address to visit to pay the malicious user
- The malicious user attempts lateral movement via SMB using a predetermined list of credentials stored in the malware or harvested credentials from Mimikatz. Note that there is usage of a public exploit that utilizes the bug in EternalSynergy/Romance. If successful, the malware writes the main executable files to the remote system and creates the required services to execute the malware.
- The malicious user attempts lateral movement via WebDAV requests to transfer files to vulnerable hosts.
Prerequisites
There is an exploitable vulnerability to allow the ransomware to be loaded onto the victim's system.
Vulnerability Description
The initial vector of the BadRabbit ransomware has been noted by most to be drive-by download where the victim visits a compromised site and downloads the malicious executable that is masquerading as a flash player update. Note that the victim will have to run the update as administrator to execute the malware successfully. When it executes the malware, it will create and run the main DLL ‘infpub.dat’. This main DLL will encrypt the user files using a legitimate DiskCryptor. Additionally, it will attempt to propagate to remote machines within the network using two methods (a WebDAV request to transfer the files to a remote system or traversing SMB shares to accomplish the same task). Successful detonation of this malware encrypts the user’s files and can potentially affect other systems within the network.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Ensure that your software is up to date; particularly any file upload vulnerabilities that are identified.
Comments
0 comments
Please sign in to leave a comment.