Down the BadRabbit Hole

Max Heinemeyer, Director of Threat Hunting | Wednesday October 25, 2017

This blog post describes the currently circulating ransomware called BadRabbit and how Darktrace’s machine learning technology detects it. BadRabbit is a self-propagating piece of malware that uses SMB to spread laterally. The campaign is reminiscent of the WannaCry and NotPetya attacks seen earlier this year. Some of the functionality in BadRabbit and the modus operandi of how it infects the targets is similar to the NotPetya attack.

The attack initially hit companies in Russia and Ukraine on October 24th, 2017. Since, the ransomware has spread to other countries across the world as well.

Infection process

The initial infection vector appears to be via drive-by downloads and social engineering using fake Adobe Flash player files. Various news and media websites predominantly but not exclusively in Russia and Ukraine served their visitors with pop-up alerts asking them to download Adobe Flash player software updates. It is unclear at this point if the websites were compromised, or if the advertisement networks were leveraged to display the fake Adobe Flash downloads.

This technique of presenting users with fake updates, commonly Adobe Flash, containing ransomware, adware or other forms of malware, has gained traction in the last six months. The same approach is often applied to trick users into inadvisable actions, such as downloading malware when browsing TV streaming websites, or torrent websites.

Once downloaded, a user has to execute the fake Adobe Flash player with administrative credentials manually. No exploits are used to automatically execute the malware. The malware creates a scheduled task for another file upon execution. The ransomware then encrypts files on the compromised devices using a hard-coded list of file extensions using a RSA 2048 key. The criminals demand a Bitcoin payment for decrypting the files. Users are pointed to a .onion website, which has to be accessed via Tor, to pay the ransom.

BadRabbit can brute-force its way over SMB to other devices on the network using a hard-coded list of common credentials. The malware appears to contain a stripped-down version of the Mimikatz tool which is used to gather credentials on Windows machines. This is likely used to further enhance its lateral movement capabilities using SMB.

Update (October 30, 2017): As the investigation of BadRabbit capabilities continued over the weekend, new details about how BadRabbit spreads have been uncovered. BadRabbit appears to be using the EternalRomance exploit that targets CVE-2017-0145, patched by Microsoft in March 2017, to propagate within the internal network over SMB. As Darktrace’s AI does not rely on identifying individual exploits to detect breaches, this latest discovery does not affect Darktrace’s capability to identify BadRabbit infections. All of the previously identified detection capabilities still hold true.

Darktrace instantly detects BadRabbit

Darktrace has strong detection capabilities for this campaign without the use of any signatures. In fact, we alerted a number of our customers within seconds of the initial fake Flash Player download on their respective networks, and well before the extent of the campaign was publicly known.

The initial fake Adobe Flash Player download from 1dnscontrol[.]com is immediately detected as a suspicious download:

If the early signs of BadRabbit go undetected, the infected devices start brute-forcing access to other devices on the network using SMB - causing thousands of SMB session login attempts per endeavored lateral movement over port 445. This highly anomalous behavior marks a sharp departure from customers’ normal ‘pattern of life’, making BadRabbit very easy to detect for Darktrace’s machine learning technology. Within seconds, Darktrace alerted the affected organizations about this attack flagging it as ‘SMB Session Brute Force’. The below shows an ongoing lateral movement attempt from an infected device to another client device using SMB session brute-force.

Infected devices make connection attempts to one or two seemingly randomly generated IP addresses on the internet over port 445 and also port 139. Examples of these failed connection attempts are displayed below. Darktrace instantly recognized this as unusual behavior for the infected device:

Compromised devices will attempt to move laterally on the network in a search for other devices to infect. Darktrace’s AI algorithms can swiftly recognize this anomalous behavior, alerting the affected organization in real time about these ‘Unusual Internal Connections’, as well as potential ‘Network Scans’.

The below model breaches seen in Darktrace are expected in a BadRabbit infection. Please be aware that not all models listed below are expected to breach in every infection - this depends on the actual behavior observed by Darktrace.

Anomalous File / EXE from Rare External Destination
Device / SMB Session Brute Force
Unusual Activity / Unusual Internal Connections
Device / Network Scan
Unusual Activity / Sustained Unusual Activity
Anomalous Connection / Suspicious Read / Write Ratio
Compliance / Tor Usage

The Darktrace ‘Omnisearch’ and ‘Advanced Search’ features can be used to identify any connections made to the known network Indicators of Compromise:

1dnscontrol[.]com(hosting the fake Adobe Flash player file)
185.149.120[.]3(static IP observed, victims HTTP POSTing to the IP)

Conclusion

BadRabbit is a machine-speed ransomware attack that exhibits some of the functionality and infection mechanics of the WannaCry and NotPetya breaches observed earlier this year. The BadRabbit malware masks itself as an ‘Adobe Flash’ software update, tempting unsuspecting users to initiate a download. After the initial impact, the attack can spread from machine to machine without human intervention.

Darktrace’s AI algorithms are quick to detect the highly anomalous patterns of behavior that BadRabbit triggers on a network, alerting the security team in real time. We have seen BadRabbit bypass traditional security controls around the globe, demonstrating once again the futility of attempting to identify and stop threats with rules and signatures. As Darktrace’s machine learning technology doesn’t rely on any assumptions of what ‘bad’ looks like and detects unfolding attacks not by what they are but by what they do, it is very powerful at catching and stopping ransomware attacks like BadRabbit in real time.

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.