Network Analysis: Catching A BadRabbit In The Act

As ransomware continues to evolve and cause havoc within organization's networks, we look at the importance of a network based approach to analyzing and identifying a ransomware infection.

Network Analysis: Catching A BadRabbit In The ActBy Martin Elliott    November 8, 2017      Thinking

BadRabbit is a new form of ransomware, which began making headlines toward the end of October 2017. Initial analysis of this new strain of ransomware noted distinct similarities to NotPetya, though with significant differences in the code base.

BadRabbit is known to have been spread via a drive-by attack masquerading as an Adobe Flash update, and has predominantly affected Russia and Ukraine.

Unlike most online examinations of BadRabbit, in this blog we'll be emphasizing the importance of analyzing network traffic when identifying and responding to the threat of malware. Though we'll make some observations regarding the malware sample and its behaviour from a user perspective, our focus will be on the analysis of traffic captured from within a malware analysis laboratory environment.

Let’s explore three main aspects of BadRabbit's behavior:

  1. Infection - The experience of a user infected by BadRabbit;
  2. Lateral Movement - The means by which BadRabbit may move through a network once a foothold has been obtained;
  3. IOCs - What indicators of compromise exist, especially from the perspective of network traffic.

The environment in which the malware was run included a Windows 7 PC, a Windows Server 2008R2 DC and a Windows Server 2012 DC. The malware was running using different accounts, including a Domain Administrator account so as to simulate a worst case scenario where the malware is free to move uninhibited through the network. The mapping of IPs to devices can be seen below:

IP VM
192.168.221.5 Windows Server 2008R2
192.168.221.6 Windows Server 2012
192.168.221.7 Windows 7 (Ground Zero)

Infection

Immediately after execution of the malware, a user will notice that attempts to open certain file types on the system will fail owing to data corruption. Looking at the Task Scheduler, two new tasks are added, "drogon" and "rhaegal"; the first of which was designed to force an immediate restart at a particular time, whilst the latter runs the dropped file "dispci.exe" upon restart.

-


After the restart, a new scheduled task "viserion_x" is added to the scheduler. Like "drogon", this attempts to force a restart. The reason for this is apparent after the next restart, when the user is presented with the following notification:

Lateral Movement

Looking at the traffic, it appears that the lateral movement process is as follows:

  1. An infected machine connects to the admin share of another machine on the network, and checks to see if cscc.dat and infpub.dat are present in the hidden admin$ share. If these are not present, then data is written to infpub.dat. This can be seen below.


However, in spite of the dat extension, infpub.dat actually contains executable code, as can be seen by any examination of the data being written, which starts with the hex sequence "4D 5A", the signature of a Windows executable file.


  1. Next, the infected machine connects to the hidden IPC$ share. This is the null session connection, which allows users to perform actions on a remote machine. Once connected, the infected machine opens the Service Control (svcctl) file, retrieves information on this file and then binds to it using DCERPC.


  1. Once this bind has been acknowledged by the targeted machine, Service Control manager is opened and an operation is transmitted. This transmission contains raw hex data which when viewed in a hex editor reveals the following string:
C:\Windows\System32\rundll32.exe "C:\Windows\infpub.dat","<User Name>:<Plaintext Password>"


Based on other reports regarding BadRabbit available online, the plaintext password seems likely to have been obtained using Mimikatz (or some derived software), which will have extracted the password directly from memory. It is worth noting that in the event of an infection, these passwords may be traversing the network in plaintext and may be recorded by network analysis appliances.


This same basic pattern was evident through successive run-throughs, though the protocol used varied depending on the machines involved, e.g. traffic directed to the 2012 server was piped over SMBv2, whilst traffic directed at the 2008R2 server was piped over SMBv1.


IOCs - Detection and/or Vaccination

Based on the above analysis of BadRabbit, we can identify certain indicators of compromise by examining network traffic.

The first of these involves identifying SMB write requests for infpub.dat. This file, which as discussed above is actually executable code which will later be invoked to infect a new host, will need to be written to the admin$ share in order for the infection to spread. Reports indicate that this filename is standard across BadRabbit infections. The following is an example of a Snort-based rule one might use to identify the SMBv2 traffic responsible for creating infpub.dat:

content:"|FE|SMB|40|"; offset:4; depth:5; content:"|05|"; offset:16; depth:17; content:"|05|"; offset:104; depth:105; content:"i|00|n|00|f|00|p|00|u|00|b|00 2e 00|d|00|a|00|t";

The second clear IOC we'll look at is the invocation of infpub.dat. This Service Control traffic will also move via SMB, so the basic pattern for detection will be similar. The following is an example of a Snort-based rule one might use to identify the SMBv2 traffic responsible for running infpub.dat:

content:"|FE|SMB|40|"; offset:4; depth:5; content:"|0B|"; offset:16; depth:17;
content:"i|00|n|00|f|00|p|00|u|00|b|00 2e 00|d|00|a|00|t";

-


As we can seen above, this particular strain of ransomware relies on SMB based network traffic to move from host to host, however this is just one example of how network based analysis can assist in the examination of malware. Looking at other well known strains of malware, we can see other IoCs such as WannaCry related SMB traffic used to copy files across the network to the infected host for encryption, before copying the encrypted files back to the remote host.


In this case, full packet capture of all traffic allows not only the identification of malware, but also the capability to restore files by extracting original copies from the network traffic.

Network traffic can also provide insights into internet-bound traffic transmitted by an infected machine, as in the Cerber sample below.


Ransomware is a growing problem, with new strains emerging constantly. In addition, whereas older strains tended to include glaring flaws in their approach to encryption, key management and communications with their command and control servers (which could provide hope of decryption), increasingly ransomware is utilising good cryptographic practices meaning that prevention and mitigation are key.

Network based analysis may provide important corroborative evidence in support of traditional host based forensics or incident response techniques, or may be useful in detecting threats where host based analysis is at a disadvantage. As malware authors continue to develop heavily obfuscated, polymorphic or fileless malware, the ability to infer the presence of malware based upon its actions (as recorded by a non-compromised system) as opposed to relying on the identification of the malware using host centric signature or behavioural analysis can provide a vital extra line of defense.

As compared to traditional approaches to network security, where the focus tends to be placed on defending the perimeter, it's becoming increasingly important to understand lateral or "east-west" movement within a network. If a single host is compromised or a malicious entity is already present on the network, this may prove to be the staging ground for further attacks directed against soft internal targets. As such, it's important to remain vigilant when it comes to the traffic moving between hosts within a network, and to have the ability to quickly identify traffic of interest amongst the din of a modern network.

Network Analysis: Catching A BadRabbit In The Act

Martin Elliott, Senior Threat Intelligence Analyst, Corvil
Corvil is the leader in performance monitoring and analytics for electronic financial markets. The world’s financial markets companies turn to Corvil analytics for the unique visibility and intelligence we provide to assure the speed, transparency, and compliance of their businesses globally. Corvil watches over and assures the outcome of electronic transactions with a value in excess of $1 trillion, every day.
@corvilinc

You might also be interested in...