Join Kaspersky Lab and Comae Technologies Thursday June 29, 2017 at 10 a.m. Eastern time for a webinar “The Inside Story of the Petya/ExPetr Ransomware.” Click here to attend.
While Microsoft and others continue to shore up links between yesterday’s global ransomware outbreak and the update mechanism for Ukrainian financial software provider MEDoc, others are finding even more distribution vectors used by the malware.
Kaspersky Lab last night said that a government website for the city of Bakhmut in Ukraine was compromised and used in a watering hole attack to spread the malware via a drive-by download.
In addition to known vectors, ExPetr/PetrWrap/Petya was also distributed through a waterhole attack on https://t.co/j9DvYcEgW7
— Costin Raiu (@craiu) June 28, 2017
“To our knowledge no specific exploits were used in order to infect victims. Instead, visitors were served with a malicious file that was disguised as a Windows update,” Kaspersky Lab said in a statement. “We are investigating other leads in terms of distribution and initial attack vector.”
The ransomware, which shares similarities to the destructive Petya strain that surfaced in 2016, is also being spread using the leaked NSA EternalBlue and EternalRomance exploits, infecting machines that still have not applied the MS17-010 Microsoft update that patches a handful of SMBv1 vulnerabilities targeted by the exploit. Unlike WannaCry, which had worming capabilities that allowed it to spread rapidly across the internet, this attack spreads itself only locally using a pair of Windows utilities, PSEXEC and WMIC, to do so, allowing it to infect machines patched against the vulnerabilities exploited by EternalBlue.
Like Petya, this attack overwrites the Master File Table and Master Boot Record on computers it infects. One organization reports that one unpatched machine was the culprit at its location, adding that it lost PCs due to a corrupted MBR, while other machines were showing the ransom note.
Researcher Matt Suiche of Comae Technologies said the malware is more wiper than ransomware, akin to Shamoon, the wiper malware behind the attacks on Saudi Arabia’s Aramco oil company. Suiche said this malware destroys the first 25 sector blocks of a hard disk, and the MBR section of the disk is purposely overwritten with a new bootloader.
“The ransomware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon,” Suiche wrote in an analysis published today. “The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative.”
Victims, meanwhile, continue to make payments in a futile attempt to recovery their lost hardware and data. German host Posteo said yesterday that it shut down the attacker’s email account, email@example.com, which prevents victims from contacting the entity behind the attack in order to send them their Bitcoin wallet address and infection ID in order to verify payment of the $300 ransom.
Microsoft, meanwhile, says it has definitively linked MEDoc as an initial infection vector, which MEDoc denied in a Facebook post Tuesday.
“The development team denies this information and argues that such conclusions are clearly erroneous, because the developer of m.e.doc, as a responsible supplier of the software, monitors the safety and cleanliness of its own code,” MEDoc said.
MEDoc, which sells tax accounting software, was identified by Ukraine’s Cyber Police as the source of the outbreak. Cisco and Kaspersky Lab also implicated the company, saying that its software update system had been compromised and was serving up the ransomware in phony updates.
“We observed telemetry showing the MEDoc software updater process (EzVit.exe) executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.,” Microsoft said in a Technet blog on Tuesday. Microsoft said that the EzVit.exe process from MEDoc executed the command line: C:\\Windows\\system32\\rundll32.exe\” \”C:\\ProgramData\\perfc.dat\”,#1 30
Below is a representation of the execution chain from Microsoft.
The ransomware, which has been given many names including NotPetya, ExPetr, PetrWrap, GoldenEye and others, is much more complex than WannaCry given its ability to move laterally once on a local network.
Microsoft said the ransomware begins by dropping a credential-stealing tool similar to Mimikatz looking for valid admin or domain credentials. It then scans subnets looking for open port 445 or 139 connections.
“A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call DhcpEnumSubnets() to enumerate DCP subnets all hosts on all DHCP subnets before scanning for tcp/139 and tcp/445 services,” Microsoft said. “If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials. It then tries to execute remotely the malware using either PSEXEC or WMIC tools.”
Another scan looks for admin$ shares before the ransomware copies itself on the network and executes using PSEXEC in what amounts to pass-the-hash attacks, Microsoft said.
“In addition to credential dumping, the malware also tries to steal credentials by using the CredEnumerateW function to get all the other user credentials potentially stored on the credential store. If a credential name starts with “TERMSRV/” and the type is set as 1 (generic) it uses that credential to propagate through the network,” Microsoft said. “This ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote shares (using NetEnum/NetAdd) to spread to. It uses either a duplicate token of the current user (for existing connections), or a username/password combination (spreading through legit tools).”
Experts continue to stress the importance of applying the MS17-010 update to unpatched machines, and advise disabling PSEXEC and WMIC on local networks.