The Unhealthy Rabbit ransom web page.
Regardless of early stories that there was no use of Nationwide Safety Company-developed exploits on this week’s crypto-ransomware outbreak, analysis launched by Cisco Talos means that the ransomware worm referred to as “Unhealthy Rabbit” did the truth is use a stolen Equation Group exploit revealed by Shadowbrokers to unfold throughout victims’ networks. The attackers used EternalRomance, an exploit that bypasses safety over Server Message Block (SMB) file-sharing connections, enabling distant execution of directions on Home windows shoppers and servers. The code carefully follows an open supply Python implementation of a Home windows exploit that used EternalRomance (and one other Equation Group instrument, EternalSynergy), leveraging the identical strategies revealed within the Shadowbrokers code launch. NotPetya additionally leveraged this exploit.
Unhealthy Rabbit, named for the Tor hidden service web page that it directs victims to, initially landed on affected networks by way of a “driveby obtain” assault by way of compromised Russian media web sites. Arriving disguised as an Adobe Flash replace, Unhealthy Rabbit has a number of methods of spreading itself throughout networks. It could exploit open SMB connections on the contaminated Home windows system, and it could additionally exploit the Home windows Administration Instrumentation Command-line (WMIC) scripting interface to execute code remotely on different Home windows methods on the community, in accordance with evaluation by EndGame’s Amanda Rousseau. And the malware has a set of hard-coded usernames and passwords, as Rousseau and researcher Kevin Beaumont famous.
However in accordance with Talos, Unhealthy Rabbit additionally carries code that makes use of the EternalRomance exploit (patched by Microsoft in March), which makes use of an “empty” SMB transaction packet to try to push directions into the reminiscence of one other Home windows pc. In unpatched Home windows 7 and later Home windows working methods, the exploit can use info leakage returned by the trade to find out whether it is profitable; on older methods, a unique model of the identical exploit is used however could crash the focused pc’s working system within the course of.
Unhealthy Rabbit code makes use of strategies apparently cribbed from a publicly accessible Python implementation of EternalRomance’s exploits.
Because of quite a few similarities between Unhealthy Rabbit and NotPetya—together with the usage of the industrial DiskCryptor code to encrypt the sufferer’s arduous drive and the presence of “wiper” code that might erase drives connected to the focused system—Kaspersky Lab researchers have mentioned that there are “clear ties” between the 2 malware assaults, and different researchers have reached comparable conclusions. However there are two main variations: the usage of a unique exploit and the obvious targets of the assault. This time, the targets have apparently been primarily in Russia.
“There’s a number of hypothesis that Russia is the principle goal, which can be true, however doesn’t rule out Russia because the attacker,” mentioned Dr. Andrea Little Limbago, chief social scientist at Endgame. “BadRabbit hit Russian media corporations—and Putin has a historical past of cracking down on the media.” And the assault additionally affected important infrastructure corporations in Ukraine. “It’s too early to rule out any potential attacker,” Limbago added, “and as at all times, motives and intent are extraordinarily nuanced, and [we] should think about each home and worldwide motivations.”