Security Alert BadRabbit Ransomware Avoids Russian Antivirus Vendor Dr. Web

omidomi

Level 63
AV-Tester
Verified
Joined
Apr 5, 2014
Messages
5,280
OS
Windows 8.1
Antivirus
Kaspersky
#1
BadRabbit will skip the encryption process when detecting the antivirus software from Russian security firm Dr. Web and profiles users before deciding to infect.

Security researchers are noticing something curious about Tuesday's BadRabbit ransomware outbreak. Apparently, the malicious code is built to avoid encrypting PCs running antivirus from Russian anti-malware vendor Dr. Web.

Researchers at FireEye noticed the issue when reverse-engineering a BadRabbit malware sample. The ransomware will forgo encryption on a machine when it finds one of four antivirus processes from the Russian security firm, it said.

Security firm Cylance found the same. BadRabbit will end attempts to spread over the victim's network and harvest the PC's passwords if Dr.Web antivirus is detected, it said.

Why the ransomware's developer sought to avoid the Moscow-based company's software might raise eyebrows. Russia often gets blamed for some of the world's biggest cyber attacks.

But on Thursday, the Moscow-based Dr.Web published its own findings (translated from Russian). It too discovered that BadRabbit skips the encryption process when the company's antivirus is detected on the system. The title of their post even suggests the ransomware is "afraid" of the company's products.



However, this actually has to do with how the company's antivirus software protects a PC's master boot record -- which BadRabbit will try to encrypt.

Instead, the ransomware will seek to avoid early detection, but will start a full disk encryption after a system reboot, Dr.Web said in its findings.

Tom Bonner, a senior threat manager at Cylance, said he arrived at a similar conclusion.

"I think it (BadRabbit) is trying to be as surreptitious as possible, and not raise too many flags," he said.

To avoid raising those flags, Dr.Web isn't the only antivirus software BadRabbit will try to scan for. It'll also look for the presence of McAfee's antivirus software, Bonner said.

If found, the ransomware will stop spreading over the victim's network, but it'll still try to encrypt the files onboard, he added.
Others like FireEye security researcher Nick Carr find BadRabbit's avoidance of Dr.Web software suspicious. Nevertheless, Tuesday's outbreak spread across computers largely in Russia, but also spilled into Ukraine, Turkey and even Japan, according to security firms.

BadRabbit attacked by spreading itself over a fake Adobe Flash Player update that was distributed by over a dozen hacked websites.

That Flash update sought to trick visitors into executing the installer, which would then maliciously encrypt all the files inside the PC. To free the system, a victim would have to pay about $282 in Bitcoin.

Who was behind the attack still isn't known. But security researchers suspect BadRabbit's creator may have been the same culprit behind another ransomware outbreak in June called NotPetya. Both attacks shared some of the same unique computer code and tactics, which is rare to find.

Security firm FireEye is also uncovering evidence that whoever launched BadRabbit had been trying to profile its potential victims.

Hacked websites found delivering BadRabbit had malicious Javascript code installed. That code is designed to gather data from website visitors through their browser sessions, and relay it back to a separate server.

What data is being profiled about visitors isn't clear, but it allows BadRabbit's creator to distinguish between which visitors will be targeted with a malicious payload, FireEye's Carr said.

That's strange behavior for a ransomware attack when most are designed to infect as many targets as possible. But it might offer an important clue to what BadRabbit was actually trying to achieve. "We have reason to suspect that this was not a truly financially-motivated attack," Carr said.
 

tim one

Level 21
AV-Tester
Verified
Joined
Jul 31, 2014
Messages
1,073
OS
Windows 10
Antivirus
F-Secure
#4
BadRabbit uses at least three components: a dropper, an encoder and a disk cryptor also able to perform the functions of decryptor. Once started, the dropper loads itself into memory, saving on disk and running the encoder using rundll32.exe and finally, ending the process.

The malware collects information on the infected computer, and indeed it checks if the processes of Dr. Web are running.
If BR sees them, it skips the first stage of the encryption, apparently to avoid a premature detection, but it tries to launch the full encryption of the disk after the system reboot. Dr. Web doesn't allow the possibility of modification of the MBR so the attempt of disk encryption fails.

Then the disk cryptor checks the arguments of its process and if it turns out to be running without arguments, it works as a decryptor. Before starting the encryption, BR performs a series of preparatory actions, then it is created in the Windows Scheduler, a task PC reboot. Subsequently, the malware deletes the old task every 30 seconds and it creates a new one, constantly shifting the execution time of the task. This process is likely prepared for the case in which the user deletes the malware before the disk encryption is completed.

Then BadRabbit generates a password for the encryption, it writes information on your computer in a specific pattern, encrypting it with a public key and saving it in another structure that is encoded with the use of the algorithm Base64 and saving it in the MBR. Then BR looks for the first sector of the system disk and it installs its bootloader. Later the content of this disk will be encrypted.

A part of the code of BadRabbit comes from NotPetya. Going from memory of the infected computer, the encoder, if you have the corresponding privileges, extracts one of the stored drivers.
To start these driver, BR, in the course of the operation, tries to register a system service "cscc" and if it fails, it will try to start the driver DiskCryptor with the name "cdfs" through the registry edit.

So as you can see, BadRabbit is very complex, even using recycled code.

Edit: sorry It was BR for BadRabbit not BD (braininfart) :p
 
Last edited:
D

Deleted member 65228

Guest
#5
I agree with @tim one, and the fact that DiskCryptor was used made everything ten times worse because DiskCryptor relies on a kernel-mode component, which could potentially provide the ability to over-power current security solutions installed on the system.

The thing that interests me is that the developers used DiskCryptor, but didn't try to abuse other device drivers belonging to other software packages like Process Hacker (kprocesshacker.sys) or CPU-Z. Both of those are potentially vulnerable targets, I recall being shown an article awhile back where a game cheater exploited the CPU-Z driver to access processes it shouldn't have, despite kernel-mode self-protection mechanisms. I don't think it was ever fixed either, bad bad CPU-Z...
 

tim one

Level 21
AV-Tester
Verified
Joined
Jul 31, 2014
Messages
1,073
OS
Windows 10
Antivirus
F-Secure
#6
Yeah good point @Opcode, and another strange thing is that BR uses the Mimikatz utility (like Notpetya) to intercept the password of the open sessions in Windows. Depending on the number of bits of the OS, it decompresses the version of the utility, saving it with an arbitrary name in the folder C:\Windows, and starting it. Then it searches for writable network folders and tries to open them by using the credentials obtained, and by saving a copy.

After it has performed all the preliminary operations, BR creates a task that will restart the computer. During the completion of the session, BadRabbit clears the system log.

GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security
 
Last edited:

Similar Threads

Similar Threads