Yesterday, Avira labs recognized an attack by a new ransomware variant called Bad Rabbit. It is the typical file cryptor that will make all your personal files unreadable and will force you to pay a ransom for decrypting them. It overwrites the MBR file to deliver this message to the victim after the computer reboots.
This threat comes to the victim’s computer as a drive-by-attack. We’ve identified the payload as being downloaded from h(tt)p://1dnscontrol(.)com/flash_install.php behind. It seems that for this attack, the criminals have not gone for an ordinary phishing attack (where the payload is mostly attached) but instead more likely used a malicious advertising banner or hacked website.
They haven’t chosen phishing for spreading the infection but they have used another famous social engineering method to get on the user’s computer. The dropped file needs to be executed by the user with admin rights to work. So, they probably decided that hiding it as a Flash Player installer was the best method. Recently we have seen quite often type of malvertising (a combination of malware and advertising) where you might need to install Flash Player first before watching the banner. Many people click daily on a fake Flash Player icon thinking that it is a new update:
If the malicious fake Flash Player is executed it drops the malicious DLL as C:\Windows\infpub.dat. This is launched using rundll32 and it drops a dispci.exe (the file decoder) and a cscc.dat (utility tool) file into the windows folder (c:\windows). In parallel, it also tries to spread these files on related computers in the network via brute forcing the administrative shares (\\computername\admin$) with a list of hardcoded credentials (e.g. sex, qwe123, qwe321, …)
For the dropped files in the Windows folder, it creates three task jobs.
It is interesting here to notice how the cybercriminals label the task job names because “Drogon”, “Rhaegal” and “Viserion” are dragons from the world-famous Game of Thrones series. But not only those ones. They also use the name of another character, “GrayWorm”, as the product name for the exe file. It is not the first time that the criminals mix popular culture icons with malware as we have seen before with Mr. Robot, James Bond, Pokemon, and much more.
This ransomware also has some special techniques to avoid leaving traces behind after the infection. One interesting method is deleting the usn journal.
Fsutil.exe usn deletejournal /D c: provides the solution to delete the journal cache. The cache detects, among other things, what changes have been made in a file after an encryption. In this way, only the cybercriminals (or anyone) can keep this information.
The file decoder sheds a light on what kinds of users the cybercriminals would like to target if you look at the list of file types.
It especially checks for filetypes of Virtual machines (e.g. vhdx, vmdk, vbox,…). This means they are also targeting the corporate arena and not just the “home user”.
The file decoder gives us an insight into what would happen on the victim’s computers’ if he paid the ransom.
The user should disable their antivirus or anti-malware program and should click on the decryption.lnk on the desktop. Additionally, after the files are decrypted, the filecoder plus the created task will be deleted from the system. Anyway, we recommend never to follow these instructions from cybercriminals.
The camouflaged file cscc.dat is originally a sys file which is part of the open encryption solution called “DiskCryptor” used by the ransomware.
This encryption method doesn’t change the file extension like many other file encryptors such as Locky. It remains the same but appends a string at the end of the file where “encrypted” can be read.
This time, it looks like the criminals spent more time creating the onion link page. It even has a loading animation of a decryption.
But don’t worry, Avira is already protecting you against this ransomware.