BadRabbit is a new form of ransomware, which began making headlines toward the end of October 2017. Initial analysis of this new strain of ransomware noted distinct similarities to NotPetya, though with significant differences in the code base.
BadRabbit is known to have been spread via a drive-by attack masquerading as an Adobe Flash update, and has predominantly affected Russia and Ukraine.
Unlike most online examinations of BadRabbit, in this blog we'll be emphasizing the importance of analyzing network traffic when identifying and responding to the threat of malware. Though we'll make some observations regarding the malware sample and its behaviour from a user perspective, our focus will be on the analysis of traffic captured from within a malware analysis laboratory environment.
Let’s explore three main aspects of BadRabbit's behavior:
The environment in which the malware was run included a Windows 7 PC, a Windows Server 2008R2 DC and a Windows Server 2012 DC. The malware was running using different accounts, including a Domain Administrator account so as to simulate a worst case scenario where the malware is free to move uninhibited through the network. The mapping of IPs to devices can be seen below:
|192.168.221.5||Windows Server 2008R2|
|192.168.221.6||Windows Server 2012|
|192.168.221.7||Windows 7 (Ground Zero)|
Immediately after execution of the malware, a user will notice that attempts to open certain file types on the system will fail owing to data corruption. Looking at the Task Scheduler, two new tasks are added, "drogon" and "rhaegal"; the first of which was designed to force an immediate restart at a particular time, whilst the latter runs the dropped file "dispci.exe" upon restart.
After the restart, a new scheduled task "viserion_x" is added to the scheduler. Like "drogon", this attempts to force a restart. The reason for this is apparent after the next restart, when the user is presented with the following notification:
Looking at the traffic, it appears that the lateral movement process is as follows:
However, in spite of the dat extension, infpub.dat actually contains executable code, as can be seen by any examination of the data being written, which starts with the hex sequence "4D 5A", the signature of a Windows executable file.
C:\Windows\System32\rundll32.exe "C:\Windows\infpub.dat","<User Name>:<Plaintext Password>"
Based on other reports regarding BadRabbit available online, the plaintext password seems likely to have been obtained using Mimikatz (or some derived software), which will have extracted the password directly from memory. It is worth noting that in the event of an infection, these passwords may be traversing the network in plaintext and may be recorded by network analysis appliances.
This same basic pattern was evident through successive run-throughs, though the protocol used varied depending on the machines involved, e.g. traffic directed to the 2012 server was piped over SMBv2, whilst traffic directed at the 2008R2 server was piped over SMBv1.
Based on the above analysis of BadRabbit, we can identify certain indicators of compromise by examining network traffic.
The first of these involves identifying SMB write requests for infpub.dat. This file, which as discussed above is actually executable code which will later be invoked to infect a new host, will need to be written to the admin$ share in order for the infection to spread. Reports indicate that this filename is standard across BadRabbit infections. The following is an example of a Snort-based rule one might use to identify the SMBv2 traffic responsible for creating infpub.dat:
content:"|FE|SMB|40|"; offset:4; depth:5; content:"|05|"; offset:16; depth:17; content:"|05|"; offset:104; depth:105; content:"i|00|n|00|f|00|p|00|u|00|b|00 2e 00|d|00|a|00|t";
The second clear IOC we'll look at is the invocation of infpub.dat. This Service Control traffic will also move via SMB, so the basic pattern for detection will be similar. The following is an example of a Snort-based rule one might use to identify the SMBv2 traffic responsible for running infpub.dat:
content:"|FE|SMB|40|"; offset:4; depth:5; content:"|0B|"; offset:16; depth:17; content:"i|00|n|00|f|00|p|00|u|00|b|00 2e 00|d|00|a|00|t";
As we can seen above, this particular strain of ransomware relies on SMB based network traffic to move from host to host, however this is just one example of how network based analysis can assist in the examination of malware. Looking at other well known strains of malware, we can see other IoCs such as WannaCry related SMB traffic used to copy files across the network to the infected host for encryption, before copying the encrypted files back to the remote host.
In this case, full packet capture of all traffic allows not only the identification of malware, but also the capability to restore files by extracting original copies from the network traffic.
Network traffic can also provide insights into internet-bound traffic transmitted by an infected machine, as in the Cerber sample below.
Ransomware is a growing problem, with new strains emerging constantly. In addition, whereas older strains tended to include glaring flaws in their approach to encryption, key management and communications with their command and control servers (which could provide hope of decryption), increasingly ransomware is utilising good cryptographic practices meaning that prevention and mitigation are key.
Network based analysis may provide important corroborative evidence in support of traditional host based forensics or incident response techniques, or may be useful in detecting threats where host based analysis is at a disadvantage. As malware authors continue to develop heavily obfuscated, polymorphic or fileless malware, the ability to infer the presence of malware based upon its actions (as recorded by a non-compromised system) as opposed to relying on the identification of the malware using host centric signature or behavioural analysis can provide a vital extra line of defense.
As compared to traditional approaches to network security, where the focus tends to be placed on defending the perimeter, it's becoming increasingly important to understand lateral or "east-west" movement within a network. If a single host is compromised or a malicious entity is already present on the network, this may prove to be the staging ground for further attacks directed against soft internal targets. As such, it's important to remain vigilant when it comes to the traffic moving between hosts within a network, and to have the ability to quickly identify traffic of interest amongst the din of a modern network.