Down the BadRabbit Hole

Max Heinemeyer, Director of Threat Hunting | Wednesday October 25, 2017

This blog post describes the currently circulating ransomware called BadRabbit and how Darktrace’s machine learning technology detects it. BadRabbit is a self-propagating piece of malware that uses SMB to spread laterally. The campaign is reminiscent of the WannaCry and NotPetya attacks seen earlier this year. Some of the functionality in BadRabbit and the modus operandi of how it infects the targets is similar to the NotPetya attack.

The attack initially hit companies in Russia and Ukraine on October 24th, 2017. Since, the ransomware has spread to other countries across the world as well.

Infection process

The initial infection vector appears to be via drive-by downloads and social engineering using fake Adobe Flash player files. Various news and media websites predominantly but not exclusively in Russia and Ukraine served their visitors with pop-up alerts asking them to download Adobe Flash player software updates. It is unclear at this point if the websites were compromised, or if the advertisement networks were leveraged to display the fake Adobe Flash downloads.

This technique of presenting users with fake updates, commonly Adobe Flash, containing ransomware, adware or other forms of malware, has gained traction in the last six months. The same approach is often applied to trick users into inadvisable actions, such as downloading malware when browsing TV streaming websites, or torrent websites.

Once downloaded, a user has to execute the fake Adobe Flash player with administrative credentials manually. No exploits are used to automatically execute the malware. The malware creates a scheduled task for another file upon execution. The ransomware then encrypts files on the compromised devices using a hard-coded list of file extensions using a RSA 2048 key. The criminals demand a Bitcoin payment for decrypting the files. Users are pointed to a .onion website, which has to be accessed via Tor, to pay the ransom.

BadRabbit can brute-force its way over SMB to other devices on the network using a hard-coded list of common credentials. The malware appears to contain a stripped-down version of the Mimikatz tool which is used to gather credentials on Windows machines. This is likely used to further enhance its lateral movement capabilities using SMB.

Update (October 30, 2017): As the investigation of BadRabbit capabilities continued over the weekend, new details about how BadRabbit spreads have been uncovered. BadRabbit appears to be using the EternalRomance exploit that targets CVE-2017-0145, patched by Microsoft in March 2017, to propagate within the internal network over SMB. As Darktrace’s AI does not rely on identifying individual exploits to detect breaches, this latest discovery does not affect Darktrace’s capability to identify BadRabbit infections. All of the previously identified detection capabilities still hold true.

Darktrace instantly detects BadRabbit

Darktrace has strong detection capabilities for this campaign without the use of any signatures. In fact, we alerted a number of our customers within seconds of the initial fake Flash Player download on their respective networks, and well before the extent of the campaign was publicly known.

The initial fake Adobe Flash Player download from 1dnscontrol[.]com is immediately detected as a suspicious download:

If the early signs of BadRabbit go undetected, the infected devices start brute-forcing access to other devices on the network using SMB - causing thousands of SMB session login attempts per endeavored lateral movement over port 445. This highly anomalous behavior marks a sharp departure from customers’ normal ‘pattern of life’, making BadRabbit very easy to detect for Darktrace’s machine learning technology. Within seconds, Darktrace alerted the affected organizations about this attack flagging it as ‘SMB Session Brute Force’. The below shows an ongoing lateral movement attempt from an infected device to another client device using SMB session brute-force.

Infected devices make connection attempts to one or two seemingly randomly generated IP addresses on the internet over port 445 and also port 139. Examples of these failed connection attempts are displayed below. Darktrace instantly recognized this as unusual behavior for the infected device:

Compromised devices will attempt to move laterally on the network in a search for other devices to infect. Darktrace’s AI algorithms can swiftly recognize this anomalous behavior, alerting the affected organization in real time about these ‘Unusual Internal Connections’, as well as potential ‘Network Scans’.

The below model breaches seen in Darktrace are expected in a BadRabbit infection. Please be aware that not all models listed below are expected to breach in every infection - this depends on the actual behavior observed by Darktrace.

Anomalous File / EXE from Rare External Destination
Device / SMB Session Brute Force
Unusual Activity / Unusual Internal Connections
Device / Network Scan
Unusual Activity / Sustained Unusual Activity
Anomalous Connection / Suspicious Read / Write Ratio
Compliance / Tor Usage

The Darktrace ‘Omnisearch’ and ‘Advanced Search’ features can be used to identify any connections made to the known network Indicators of Compromise:

1dnscontrol[.]com(hosting the fake Adobe Flash player file)
185.149.120[.]3(static IP observed, victims HTTP POSTing to the IP)

Conclusion

BadRabbit is a machine-speed ransomware attack that exhibits some of the functionality and infection mechanics of the WannaCry and NotPetya breaches observed earlier this year. The BadRabbit malware masks itself as an ‘Adobe Flash’ software update, tempting unsuspecting users to initiate a download. After the initial impact, the attack can spread from machine to machine without human intervention.

Darktrace’s AI algorithms are quick to detect the highly anomalous patterns of behavior that BadRabbit triggers on a network, alerting the security team in real time. We have seen BadRabbit bypass traditional security controls around the globe, demonstrating once again the futility of attempting to identify and stop threats with rules and signatures. As Darktrace’s machine learning technology doesn’t rely on any assumptions of what ‘bad’ looks like and detects unfolding attacks not by what they are but by what they do, it is very powerful at catching and stopping ransomware attacks like BadRabbit in real time.

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

The ‘Matrix Banker’ Reloaded

Max Heinemeyer, Director of Threat Hunting | Thursday October 12, 2017

Overview

Over the last few weeks, Darktrace has confidently identified traces of the resurgence of a stealthy attack targeting Latin American companies. This targeted campaign was first observed between March and June this year. Arbor Networks initially labelled the malware used in the campaign ‘Matrix Banker’. The name used by Proofpoint is ‘Win32/RediModiUpd’. The malware used by the attackers appeared to be still under development when the last report came out in June 2017.

Darktrace has observed an attack wave targeting Mexican companies in August and September 2017. Some of the TTPs (tools, techniques, procedures) observed bear close resemblance to those seen in the ‘Matrix Banker’ attacks earlier this year. The campaign is crafted to be particularly stealthy and to blend into certain networks in Latin America, confirming the suspicion of its targeted nature. Darktrace’s machine learning and AI algorithms were able to identify the infected devices almost instantaneously, despite apparent efforts by the malware author to be covert and stealthy.

Between August and October 2017, Darktrace detected highly anomalous behavior on five seemingly unrelated networks in Mexico. Unlike the original strain of this attack, which was believed to target financial institutions almost exclusively, this latest variant affected customers across a number of industry verticals, suggesting that the threat actors are diversifying their targets. Darktrace has seen the attack hit companies in the healthcare, telecommunications, food and retail sectors.

Infection process

The initial infection vector appears to be phishing emails. The users downloaded the initial piece of malware from compromised Mexican websites. The infected files were Windows executables masqueraded as .mp3 and .gif files. Example downloads are listed below. Darktrace instantly detected the highly anomalous behavior of these downloads, which occurred from 100% rare external domains for the networks, and alerted the respective security teams.

hxxp://gorrasbaratas.com[.]mx/images/sss/sound.mp3 [1]
hxxp://inseltech.com[.]mx/inicio/wp-includes/kk/sound.mp3 [2]

The actual file names of the downloads are ‘logo.gif’.

The ‘Matrix Bankers’ attack tried to conceal malware downloads using masqueraded files in previous attacks. What is interesting about the hacked websites serving the malware is that they are using the .mx top level domain. This localised and targeted technique is used to conceal the traffic and make it blend in with normal network traffic on networks in Mexico.

Following the initial infection, in some cases a second stage malware was downloaded. Darktrace detected this as more anomalous activity since the downloads took place from more 100% rare external destinations:

hxxp://dackdack[.]club/APIv3/modules/nn_grabber_x64.dll [3]
hxxp://dackdack[.]club/APIv3/modules/nn_grabber_x32.dll [4]

Successful second stage downloads were seen to be followed by suspicious HTTP POST beaconing behavior, resembling command and control communication to various domains:

hxxp://kuxkux[.]bit/APIv3/api.php
hxxp://drdrfdd[.]cat/forum/logout.php
hxxp://eaxsess[.]cat/forum/logout.php

Not all targeted companies were seen to receive a second-stage malware download. This might indicate a sophisticated attack plan where the initial generic, covert backdoor is followed by a targeted second-stage payload that is chosen based on the victim and its potential value to the cyber criminals (long term data exfiltration, ransomware, banking Trojan…). Customers reported that infected devices had their anti-virus disabled, or removed by the malware. This showcases that companies cannot solely rely on signature based systems to catch novel, evolving threats.

The beaconing behavior to these 100% unusual external domains was immediately detected as it represented a strong deviation from the devices’ normal ‘pattern of life’. The use of domains hosted on .cat (top level domain used for the Catalan culture and language) indicates that the attackers are highly aware of the cultural context of their target victims and try to make the malware communication blend in with network traffic.

This graphic illustrates the strong detection Darktrace showed during the initial ‘Matrix Banker’ infection. Every colored dot represents a Darktrace detection. A clear deviation from the previous ‘pattern of life’ can be seen around the time of the infection.

Compromised machines made further repeated DNS requests to the domains below:

dackdack[.]tech
dackdack[.]online
kuykuy[.]bit

At the time of our investigation, the domains below resolved to the following IP address:

142.44.188[.]42
dackdack[.]club
eaxsess[.]cat
kuxkux[.]bit
drdrfdd[.]cat

Closing thoughts

Although final attribution is impossible, the evidence strongly suggests that the campaign described here is similar to the ‘Matrix Banker’ campaign observed in March and June 2017 and might be a continuation of it.

The initial malware was concealing its file types by using different file extensions than their MIME type. More precisely, the use of ‘logo.gif’ has been seen in previous ‘Matrix Banker’ attacks.

There are 3,000 deployments of Darktrace’s AI technology across 70 countries, but all identified instances of this type of compromise are in Latin American organizations.

The ‘Matrix Bankers’ have used Catalan top-level domains in past attacks. In fact, some of the domains used previously are very similar to domains observed here. One domain seen in September was the exact same domain as seen in an earlier attack – just with an additional ‘s’ appended:

Example domains from March/June 2017

trtr44[.]cat
lalax[.]cat
eaxses[.]cat

Example domains from August/October 2017

drdrfdd[.]cat
kuxkux[.]bit
eaxsess[.]cat
kuykuy[.]bit
dackdack[.]tech

Although the domains appear to be randomly generated, a closer look reveals that the ‘Matrix Bankers’ seem to favor generating domain names by using keys that are physically close together on a keyboard, or by repeating phrases one might type in a hurry, when lacking creativity for naming a temporary download (e.g. asdasd.jpeg). We saw this pattern for domain name generation in the March - June ‘Matrix Bankers’ campaign as well as here.

Darktrace’s AI technology was able to detect these stealthy and sophisticated attacks because the way in which they manifest themselves represents a sharp deviation from the normal ‘pattern of life’ within an organization. The threat actors applied a number of techniques to blend into the normal noise of networks, but the self-learning algorithms were quick in detecting the anomalous behavior automatically and in real time.

Footnotes

List of IoCs

dackdack[.]club
dackdack[.]tech
dackdack[.]online
eaxsess[.]cat
kuxkux[.]bit
kuykuy[.]bit
drdrfdd[.]cat
inseltech.com[.]mx
gorrasbaratas.com[.]mx
142.44.188[.]42

[1] VirusTotal analysis of this file
[2] SHA-1: 88f3bdc84908c1fb844b337c535eef2d2b31e1dc
[3] VirusTotal analysis of this file
[4] VirusTotal analysis of this file

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.