One day after clear ties were established between the Bad Rabbit ransomware attacks and this summer’s NotPetya outbreak, researchers at Cisco today strengthened that bond disclosing that the leaked NSA exploit EternalRomance was used to spread the malware on compromised networks.
This contradicts earlier reports that neither EternalRomance nor EternalBlue were part of this week’s ransomware attack that was confined primarily to Russia and the Ukraine.
Cisco said in an ongoing analysis of Bad Rabbit that the implementation of the EternalRomance exploit used in Bad Rabbit has been modified.
“This is a different implementation of the EternalRomance exploit,” said Martin Lee, technical lead of security research for Cisco’s research arm, Talos. “It’s different code from what we saw used in NotPetya, but exploiting the same vulnerability in a slightly different implementation.”
EternalRomance is one of a number of Windows exploits leaked in April by the ShadowBrokers, a still unidentified group that has been leaking Equation Group exploits for more than a year. Many of those attacks, however, were mitigated in MS17-010, a Microsoft security bulletin that included patches for vulnerabilities in the SMBv1 protocol abused by these exploits.
The publicly available exploits affect older versions of Windows (XP through 7 on the client side and 2003-2008 on Windows Server).
EternalRomance is a remote code execution attack that exploits CVE-2017-0145. What exacerbated the WannaCry and NotPetya attacks was the fact that many organizations had SMBv1 exposed to the internet rather than solely internally. This allowed WannaCry in particular to worm out to the internet and affect machines outside a compromised network.
“This exploit was written to remotely install and launch an SMB backdoor. At the core of this exploit is a type confusion vulnerability leading to an attacker offset controlled arbitrary heap write,” Microsoft said in an analysis of EternalRomance published in June. “As with almost any heap corruption exploit, the attacker must know or control the layout of the heap to consistently succeed.”
Cisco said in its look at Bad Rabbit this week that it found a type confusion attempt similar to EternalRomance.
“We can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor,” Cisco said. “Both actions are possible due to the fact that EternalRomance allows the attacker to read/write arbitrary data into the kernel memory space.”
DoublePulsar is a post-exploitation memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish. It was part of the Fuzzbunch exploit platform leaked by the Shadowbrokers.
“This is a full ring0 payload that gives you full control over the system and you can do what you want to it,” said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his analysis in April.
Researchers at Kaspersky Lab on Wednesday confirmed the link between Bad Rabbit and NotPetya, finding similarities in the hashing algorithm used in the two attacks, as well as some of the same domains. It also steals credentials by leveraging the Windows utility WMIC.
Unlike NotPetya, Bad Rabbit is not a wiper attack, Kaspersky Lab confirmed today. Cisco’s Lee also confirmed this is not a wiper.
“The researchers also found that the Bad Rabbit ransomware code doesn’t contain the kind of mistakes that could be used to decrypt victims’ files and data. There is no way to decrypt information without the attackers’ private key,” Kaspersky Lab said today. “Having said that, the experts have found a flaw in the code of dispci.exe, which means that the malware doesn’t wipe the generated password from the memory – so there is a slim possibility to extract it.”
Kaspersky Lab also said that it saw traces of the attack dating back to July starting with the compromise of high-profile media sites in Russia including Interfax. Government agencies in Turkey, including the metro in Kiev and a major airport were also serving the malware as were other sits in Turkey, Germany and the U.S.—about 200 in all. The attackers, however, pulled the malicious code once Bad Rabbit was made public.
The malware was spreading primarily through drive-by downloads where the hacked sites were serving up a phony Flash Player installer that executes a dropper on the compromised machine that reaches out to the attacker’s domain for the rest of the attack. The malware relied on user action to trigger the executable and to grant it excessive permissions through a Windows UAC prompt.
While ExPetr was wiper malware in the guise of a ransomware attack, Bad Rabbit installs a malicious executable called dispci.exe which is derived from the free and open source disk encryption software called DiskCryptor.
“The malware modifies the Master Boot Record (MBR) of the infected system’s hard drive to redirect the boot process into the malware authors code for the purposes of displaying a ransom note,” Cisco said. “The ransom note that is displayed following the system reboot is very similar to the ransom notes displayed by other ransomware variants, namely Petya, that we have observed in other notable attacks this year.”
The attackers are demanding 0.05 Bitcoin or $298 USD at today’s exchange rate in exchange for the decryption key that will unlock their hard drives. Each victim is assigned a unique payment wallet, simplifying the process for recovery for victims and profit for the attackers.