Security Experts:

'Bad Rabbit' Attack Infrastructure Set Up Months Ago

The infrastructure used by the Bad Rabbit ransomware was set up months ago and an increasing amount of evidence links the malware to the NotPetya attack launched in late June, which some experts believe was the work of a Russian threat actor.

A majority of the Bad Rabbit victims are in Russia – over 80% according to some reports – where the ransomware hit several media outlets, including Interfax. Significant infections have also been observed in Ukraine, where the malware reportedly hit major organizations such as the airport in Odessa, the Kiev subway, the State Aviation Service of Ukraine, and the Transport Ministry of Ukraine.

Infections have also been spotted in Bulgaria, Turkey, Germany, Japan, the United States, South Korea and Poland.

Unlike the NotPetya attack, which hit tens of thousands of systems in more than 65 countries, Bad Rabbit, delivered by attackers via fake Flash Player installers, only infected a few hundred machines mainly belonging to enterprises. The attack began on October 24 at around 10 AM UTC and the majority of infection attempts were detected in the first couple of hours.

Analysis conducted by researchers and security firms showed many connections between Bad Rabbit and NotPetya, including the use of legitimate features such as SMB to spread within the compromised network. However, Bad Rabbit does not use EternalBlue or any other exploit. [UPDATE. Bad Rabbit does in fact use the EternalRomance exploit to spread]

The security researcher known online as Bart Blaze has published a useful table summarizing the similarities and differences between NotPetya and Bad Rabbit. The similarities include targeting of Ukraine and Russia, binaries signed with expired certificates, use of Mimikatz for credential-grabbing, reboots and persistence via scheduled tasks, removal of event logs and USN change journals, and the same type of file encryption and ransomware functionality.

One of the most significant differences is the fact that Bad Rabbit appears to be an actual ransomware and, at least in theory, users can recover their encrypted files if they pay the ransom; unlike NotPetya, which has been classified as a wiper due to the fact that the ransom payment functionality is not implemented properly, making the recovery of files impossible.

Bad Rabbit infrastructure

Kaspersky Lab researcher Costin Raiu pointed out that several of the compromised domains used in the Bad Rabbit attack had been set up for malicious activity since at least July.

An analysis by RiskIQ shows that some of the injection servers involved in the attack were set up more than a year ago.

“While this list is most likely incomplete, it does show that it’s part of a long-running campaign. The operators of this campaign have been able to use this position to target unique visitors based on IP space they associate with their targets,” explained RiskIQ’s Yonathan Klijnsma.

“The thing we do not understand at this point is why they decided to burn this information position to mass distribute the BadRabbit ransomware rather than save it for another type of malware. The goal of the attack using ExPetya back in June was simple: cause as much disruption in the Ukraine and those associated with Ukraine as possible which also seems the case in the BadRabbit attack,” Klijnsma added.

Russian security firm Group-IB noted that the domain serving the fake Flash Player installer, 1dnscontrol[dot]com, was hosted by Inferno, which is run by the same people as 3NT Solutions and V3Servers. The activities of this hosting company were detailed back in 2014 by British researcher Conrad Longmore, who has now provided an updated list of IP addresses that he believes should be blocked by organizations.

“The domain name 1dnscontrol.com was registered on 22 March 2016 and is currently prolonged. There are a number of malicious domains associated with this site, which relate back to 2011. It is possible that these domains have also been compromised or are used for analogous attacks,” Group-IB said.

Links to BlackEnergy

NotPetya, which is also tracked as Diskcoder, Petya, Petrwrap, exPetr and GoldenEye, was linked back in early July to a threat group known as TeleBots, BlackEnergy and Sandworm Team, which experts have tied to Russia and which is believed to be behind cyberattacks on Ukraine’s power grid.

NotPetya was linked to BlackEnergy based on similarities to a wiper used by the threat actor, Yara rules detecting both BlackEnergy and NotPetya malware, and previous ransomware attacks that hit Ukraine.

Several security firms and researchers pointed out that if the NotPetya attack was conducted by BlackEnergy, and Bad Rabbit was created by the same developers that made NotPetya, the obvious conclusion would be that Bad Rabbit is also the work of the Russia-linked hackers.

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.