‘White Rabbit’ Ransomware May Be FIN8’s Latest Tool

It’s a double-extortion play that uses the command-line password ‘KissMe’ to hide its nasty acts and adorns its ransom note with cutesy ASCII bunny art.

A new ransomware family, White Rabbit, chewed through a local U.S. bank last month — and it may be connected to the financially motivated advanced persistent threat (APT) group known as FIN8, researchers said.

In a Tuesday report, Trend Micro researchers said that this twicky wabbit knows how to burrow away where it can’t be spotted. In fact, it looks like the operators behind the White Rabbit ransomware have taken a page from the more established ransomware family known as Egregor when it comes to hiding their malicious activity, researchers said.

Egregor, which claimed responsibility for a well-publicized cyberattack on Barnes & Noble in October 2020, is a ransomware-as-a-service (RaaS) player that sparked an FBI warning after compromising more than 150 organizations in short order after its birth.

Infosec Insiders Newsletter

White Rabbit may be sneaky, but it leaves tracks. The ransomware was spotted by multiple security outfits, and was first detected on Dec. 14 by the Lodestone Forensic Investigations team, which said that it had seen some White Rabbit activity a few days earlier, on Dec. 11.

But the earliest stirrings date back to July 10, when a PowerShell script was executed – a script that held script blocks that matched those described in a July 27 Bitdefender article on FIN8.

The Dec. 14 White Rabbit attack was also publicly disclosed on Twitter that same day by security researcher Michael Gillespie (@demonslay355).

Gillespie included a link to the ransom note, which includes cutesy bunny ASCII art. The note warns victims that if they’re reading it, their network infrastructure has been compromised, their critical data has leaked and their files are encrypted. In other words, the newcomer is using the same double-extortion shtick used by a skyrocketing number of RaaS players, threatening targets that their stolen data isn’t just encrypted but will also be published or sold.

Ransom note. Source: Gillespie’s upload to PasteBin.

Command-Line Password ‘KissMe’ Used to Hide Bad Acts

It gets cutesy-wutesy-er: Trend Micro researchers said that one of the most notable aspects of the new ransomware’s attack is the use of a specific command-line password to decrypt its internal configuration and launch its ransomware routine. In the particular case that they came across, that password is “KissMe,” as shown in the SysTracer screen capture below. SysTracer is a system utility tool that sniffs out changed data in a system’s registry and files.

Command line, showing the password “KissMe,” used to execute the ransomware. Source: Trend Micro.

“This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis,” the Trend Micro researchers pointed out, adding that “other samples might use a different password” than KissMe.

The SysTracer image also shows the arguments accepted by the ransomware, which, researchers surmised, stand in for:

  • -p: password/passphrase
  • -f: file to be encrypted
  • -l: logfile
  • -t: malware’s start time

Cobalt Strike Link to FIN8

Trend Micro picked up on traces of Cobalt Strike commands – the PowerShell .exe, as shown below – that its researchers think “might have been used to reconnoiter, infiltrate and drop the malicious payload into the affected system,” according to the report.

Traces of Cobalt Strike commands. Source: Trend Micro.

Lodestone’s analysis of the ransomware group’s tactics, techniques, and procedures (TTPs) points to the White Rabbit group potentially being affiliated with FIN8.

FIN8 has typically used social engineering and spear-phishing to go after financial services and payment-card data from point-of-sale (PoS) systems – particularly those of retailers, restaurants and the hotel industry. More recently, it has added ransomware to its bag of trucks. It’s been active since at least January 2016 and periodically pops in and out of dormancy in order to fine-tune its TTPs so as to evade detection and ramp up its success rate.

One example was in August, when the latest refinement of the APT’s BadHatch backdoor proved able to leverage new malware on the fly without redeployment, making it potent and nimble.

Besides BadHatch, FIN8’s well-stocked arsenal has included malware variants such as ShellTea – a backdoor also known as PunchBuggy –and the memory-scraping malware PunchTrack.

In the December attack, White Rabbit dragged in a previously unseen version of BadHatch that, based on characteristics of the malware sample acquired, Lodestone named F5.

“The exact relationship between the White Rabbit group and FIN8 is currently unknown,” Lodestone stipulated. “However, Lodestone identified a number of TTPs suggesting that White Rabbit, if operating independently of FIN8, has a close relationship with the more established threat group or is mimicking them.”

White Rabbit’s Ransomware Path

As Trend Micro tells it, the White Rabbit ransomware creates a note for each file it encrypts. “Each note bears the name of the encrypted file and is appended with ‘.scrypt.txt,'” researchers described. “Prior to the ransomware routine, the malware also terminates several processes and services, particularly antivirus-related ones.”

Next, if the -f argument isn’t given, it tries to encrypt files in fixed, removable and network drives, as well as in resources. Trend Micro provided the list below of the paths and directories the ransomware tries to skip, “to avoid crashing the system and destroying its own notes.”

  • *.scrypt.txt
  • *.scrypt
  • c:\windows\*
  • *:\sysvol\*
  • *:\netlogon\*
  • c:\filesource\*
  • *.exe
  • *.dll
  • *\desktop.ini
  • *:\windows\*
  • c:\programdata\*
  • *:\programfiles\*
  • *:\program files (x86)\*
  • *:\program files (x64)\*
  • *.lnk
  • *.iso
  • *.msi
  • *.sys
  • *.inf
  • %User Temp%\*
  • *\thumbs.db

FIN8 Connection Still a Bit Sketchy

FIN8 and White Rabbit may be related, or they might actually share the same creator: It’s not a solid call just yet, Trend Micro said.

It could be that this is just another indication of how the group is doing what it’s known for: expanding its arsenal, past the infiltration and reconnaissance tools for which it’s well-known, to add ransomware to the toolkit. “So far, White Rabbit’s targets have been few, which could mean that they are still testing the waters or warming up for a large-scale attack,” Trend Micro researchers noted.

It has an “uncomplicated” ransomware routine, which likely means that it’s still under development, they said. Despite being a simple piece of malware, it’s still dangerous: “Despite being in this early stage, however, it is important to highlight that it bears the troublesome characteristics of modern ransomware: It is, after all, highly targeted and uses double extortion methods,” according to Trend Micro’s writeup. “As such, it is worth monitoring.”

Blocking White Rabbit Attacks

Both Lodestone and Trend Micro included indicators of compromise in their White Rabbit writeups.

Trend Micro also had the following suggestions for setting up a multilayered defense to “help guard against modern ransomware and prevent the success of the evasion tactics they employ”:

  • Deploy cross-layered detection and response solutions. Find solutions that can anticipate and respond to ransomware activities, techniques, and movements before the threat culminates.
  • Create a playbook for attack prevention and recovery. Both an incident-response (IR) playbook and IR frameworks allow organizations to plan for different attacks, including ransomware.
  • Conduct attack simulations. Expose employees to a realistic cyberattack simulation that can help decision-makers, security personnel, and IR teams identify and prepare for potential security gaps and attacks.

Photo courtesy of PxHere. Licensing details.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles