‘BadRabbit’ Ransomware Burrows Into Russia, Ukraine

By and on

This post was researched and written by Christiaan Beek, Tim Hux, David Marcus, Charles McFarland, Douglas McKee, and Raj Samani.

McAfee is currently investigating a ransomware campaign known as BadRabbit, which initially infected targets in Russia and the Ukraine. We are also investigating reports of infected systems in Germany, Turkey, and Bulgaria and will provide updates as more information becomes available. For McAfee product coverage, please see “How McAfee Products Can Protect Against BadRabbit Ransomware.”

When victims visit the following site, a dropper is downloaded:

hxxp://1dnscontrol[dot]com/flash_install.php

After infection, the victim sees the following screen:

The ransomware is currently charging 0.05 Bitcoin; however, there is no confirmation that paying the ransom will result in a decryption key being provided.

A decryption site at the following .onion (Tor) domain displays the time that victims have left before the price goes up:

caforssztxqzf2nm[dot]onion

Files with the following extensions are encrypted:

.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf .der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key .mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx .php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff .vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.

The malware starts a command-line with following values:

Cmd /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR “C:\Windows\system32\cmd.exe /C Start \”\” \”C:\Windows\dispci.exe\” -id 1082924949 && exit”

“/TN rheagal” refers to a system account with the name rhaegal used to create the scheduled task and start the ransomware file dispci.exe. Rhaegal is likely a reference to a dragon from the popular TV show “Game of Thrones.” In fact, three dragon names—Rhaegal, Viserion, and Drogon—are used in relation to the following scheduled tasks:

The malware then uses the following commands to clear security logs and delete the update sequence number (USN) change journal, which is used to recover files, for example:

Cmd /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:

The USN change journal provides a persistent log of all changes made to files on the volume, according to the Microsoft Developer Network. As files, directories, and other NTFS objects are added, deleted, and modified, NTFS enters records into the USN change journal, one for each volume on the computer. Each record indicates the type of change and the object changed. New records are appended to the end of the stream.

We also found a DNS query to ACA807(x)ipt.aol[dot]com, in which the “##” is a two-digit hex number from 00-FF ACA807##.ipt.aol[dot]com.

We created a graph of the events occurring during an infection by one of the BadRabbit samples. The initial binary loads itself into memory and kills the initial process. Further processes drop configuration, services files, and other artifacts used in the attacks. The graph ends with the creation of the preceding scheduled tasks.

Embedded Credentials

One of the samples (579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648) seems to contain a list of default credentials with an attempt to brute-force credentials and get the scheduled tasks to execute the ransomware:

  • secret
  • 123321
  • zxc321
  • zxc123
  • qwerty123
  • qwerty
  • qwe321
  • qwe123
  • 111111
  • password
  • test123
  • admin123Test123
  • Admin123
  • user123
  • User123
  • guest123
  • Guest123
  • administrator123
  • Administrator123
  • 1234567890
  • 123456789
  • 12345678
  • 1234567
  • 123456
  • adminTest
  • administrator
  • netguest
  • superuser
  • nasadmin
  • nasuser
  • ftpadmin
  • ftpuser
  • backup
  • operator
  • other user
  • support
  • manager
  • rdpadmin
  • rdpuser
  • user-1
  • Administrator

Game of Thrones Fans?

It is common for attackers to use pop-culture references in their attacks. These attackers seem to have an interest in “Game of Thrones,” with at least three references to the series. Viserion, Rhaegal, and Drogon are names of scheduled tasks. GrayWorm, the name of a “Game of Thrones” commander, is the product name in the binary’s EXIF data.

Detection

There are currently three samples associated with this ransomware campaign, representing the dropper and the main executable. McAfee detects all three:

  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
  • 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

 

Categories: McAfee Labs
Tags: , ,

2 comments on “‘BadRabbit’ Ransomware Burrows Into Russia, Ukraine

Leave a Comment

Similar articles

Holiday stress. Every year, come November, my resting heart rate starts to rise: the festive season is approaching. Not only is there so much to do but there’s so much to spend money on. There are presents to purchase, feasts to prepare and party outfits to buy. Throw in a holiday to fill the long ...
Read Blog
Cryptocurrency mining is the way transactions are verified and added to the public ledger, a database of all the transactions made around a particular piece of cryptocurrency. Cryptocurrency miners compile all of these transactions into blocks and try to solve complicated mathematical problems to compete with other miners for bitcoins. To do this, miners need ...
Read Blog
The authors thank their colleagues Oliver Devane and Deepak Setty for their help with this analysis. McAfee Labs researchers have discovered new Russian malware, dubbed WebCobra, which harnesses victims’ computing power to mine for cryptocurrencies. Coin mining malware is difficult to detect. Once a machine is compromised, a malicious app runs silently in the background ...
Read Blog