Bad Rabbit: the unrelenting ransomware attacks on the Eastern bloc

By mhahad posted 10-25-2017 18:28




Following the footsteps of WannaCry and NotPetya, Ukraine, Russia and a few other neighboring countries with Russian speaking communities have been yet again the target of a ransomware attack on Tuesday October 24. This attack was orchestrated from compromised Russian language news sites, which explains the victims geographical distribution. The malware encrypts the victim's files and disk before asking for payment of a ransom of 0.05BTC, which is roughly $250.


Infection Source

The compromised news sites were injecting malicious JavaScript that would show a popup posing as a flash updater to visitors of interest. If the visitor falls for the social engineering trick and accepts the download, a dropper would be downloaded from the site 1dnscontrol[.]com and saved as install_flash_player.exe. This file does not auto launch: the user has to manually launch it.


Infection Process 

Once the dropper is launched, it drops the malicious payload as infpub.dat, which is a DLL and starts it using the command:

rundll32 infpub.dat,#1 15


At the start of the ordinal function #1, it checks its current privileges and starts initializing variables. Those privileges will be required for the malware to impersonate the user and to reboot the system after encryption.



It then checks for the presence of a Mutex to make sure it doesn't run twice on the same host computer. The Mutex is built based on the hostname of the victim.


If the malware has “SeDebugPrivilege”, it drops the file ccsc.dat in the windows folder. This is a legitimate driver from the open source “DiskCryptor”. It is stored within its Resource section under the resource type “Strings” and its resource name is “7”. This driver is later on used by another dropped file, dispci.exe, for encrypting the drive.





It then drops dispci.exe in the %windows% folder from its Resource section (Resource Name is "9")  and creates a scheduled task job named “rhaegal” that will execute dispci.exe every time the system reboots.


And then it creates another scheduled task named “drogon” that will shutdown the system after a little while (after 18 minutes at a minimum). Presumably, this will give it enough time to spread laterally and encrypt the files.



Then, in a bizarre move which is usually only seen in stealthy malware that seeks persistence, it creates a thread that will delete event logs and journals. As if it were necessary to cover its tracks after encrypting the victim's files!


Harvesting Credentials


Bad Rabbit creates another thread that will scan the “Local Network”.

If it has “SeShutdownPrivilege” and “SeDebugPrivilege” it will invoke “Mimikatz” from its Resource “1”, which is a tool used by hackers to harvest credentials. First it will drop this tool as {random}.tmp in the %windows% folder then it will execute it as follows:


"""C:\Windows\A5AB.tmp"" \\.\pipe\{3A24C506-EE04-49B9-B857-954EFC8D030B}"


The argument in the form of a pipe is where it will store the harvested credentials.


Lateral Spread

After scanning the Local Network for SMB shares and harvesting credentials, it starts propagating through the available network shares using the harvested credentials as well as a list of hardcoded usernames and passwords typically found in installations of file systems. These are posted on pastebin:


Administrator, Admin, Guest, User, User1, user-1, Test, root, buh, boss, ftp, rdp, rdpuser, rdpadmin, manager, support, work, other, user, operator, backup, asus, ftpuser, ftpadmin, nas, nasuser, nasadmin, superuser, netguest, alex



Administrator, administrator, Guest, guest, User, user, Admin, adminTest, test, root, 123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 1234567890, Administrator123, administrator123, Guest123, guest123, User123, user123, Admin123, admin123, Test123, test123, password, 111111, 55555, 77777, 777, qwe, qwe123, qwe321, qwer, qwert, qwerty, qwerty123, zxc, zxc123, zxc321, zxcv, uiop, 123321, 321, love, secret, **bleep**, god.




Upon successful propagation, the malware infpub.dat is dropped in the ADMIN$ folder which is %Windows% folder and executed using SCManager.




The remote execution will invoke the command:

C:\Windows\System32\rundll32.exe "C:\Windows\infpub.dat",#2 15


Ordinal #2 of infpub.dat will run ordinal #1.






File Encryption

Bad Rabbit embeds a list of file extensions to encrypt:


It looks for files with these extensions throughout the drive except some folder: Windows, Program Files, ProgramData, AppData. 




Once the file encryption process is completed, the ransomware creates a ransom note in C:\Readme.txt.



Disk Encryption


Beyond file encryption, Bad Rabbit also performs a disk encryption. Disk encryption happens after reboot. The scheduled task “rhaegal” will run dispci.exe which will modify the bootloader. After the first reboot, the disk is not yet encrypted but only the bootloader is modified. On the next reboot, the modified bootloader will run which will then start encrypting your drive. It is during this time also where you will see the ransom message on your PC. You are no longer able to login to your computer at this point.



Both Juniper Sky ATP and Cyphort on-prem solutions detect this threat as seen in the screenshots below:









As typical with ransomware, the damage this threat can cause is substantial depending on the value of the asset being compromised. We recommend that the following preventive measures be taken:

  • Back up data on volumes that are isolated in your network so they don't get themselves encrypted. Test those backups before you urgently need them.
  • Patch your systems swiftly (remember MS17-010?) and disable SMBv1.
  • Segment your networks.
  • Do not reuse passwords and enfore a strong password policy.
  • Deploy advated threat detection capable of seeing lateral movement.
  • Implement behavior based detection, signatures alone won't cut it.


 Many thanks to Paul Kimayong for reversing this malware and providing the detailed analysis.





10-31-2017 12:16

Some advice from Caspersky lab in this case:

  • make sure that all protection mechanisms are activated as recommended; and that KSN and System Watcher components (which are enabled by default) are not disabled.
  • update the antivirus databases immediately.

The abovementioned measures should be sufficient. However, as additional precautions we advise the following:

  • restricting execution of files with the paths c:\windows\infpub.dat and C:\Windows\cscc.dat in Kaspersky Endpoint Security.
  • configuring and enabling Default Deny mode in the Application Startup Control component of Kaspersky Endpoint Security to ensure and enforce proactive defense against this and other attacks.

Kaspersky Lab products detect this threat with the following verdicts:

  • Trojan-Ransom.Win32.Gen.ftl
  • Trojan-Ransom.Win32.BadRabbit
  • DangerousObject.Multi.Generic
  • PDM:Trojan.Win32.Generic

fbbdc39af1139aebba4da004475e8839 – install_flash_player.exe
1d724f95c61f1055f0d02c2154bbccd3 – C:\Windows\infpub.dat
b14d8faf7f0cbcfad051cefe5f39645f – C:\Windows\dispci.exe

And alter source about the issue

10-26-2017 12:54

 Well written article which clearly conveys 3 key points:

1.The need for network security(How a small investment will save super huge embarrassing losses for the org)

2. How Bad Rabbit works.

3.How Juniper's SKY (cloud) and Cyphort (on prem) can mitigate this attack.


A must share article with customers ! Kudos to the author and thank you. Please keep more of these coming !