Malware Analysis

BadRabbit Ransomware Analysis

admin

Overview

BadRabbit emerged on October 24, 2017, primarily targeting organizations in Russia, Ukraine, Turkey, and Germany. Unlike NotPetya's supply chain attack, BadRabbit relied on drive-by download attacks through compromised websites.

Infection Vector

Watering Hole Attack

The attackers compromised several legitimate news and media websites, injecting JavaScript that redirected visitors to a page hosting the malware:

  • Victims were presented with a fake Adobe Flash Player update prompt
  • The dropper was disguised as install_flash_player.exe
  • No exploits were used — the attack relied entirely on social engineering
  • Compromised sites included Russian media outlets Interfax and Fontanka

Dropper Mechanism

Upon execution, the dropper:

  1. Extracts the main payload DLL (infpub.dat) to C:\Windows\
  2. Executes via rundll32.exe C:\Windows\infpub.dat,#1 15
  3. Creates a scheduled task for system reboot
  4. Begins encryption and lateral movement

Encryption

File Encryption

  • Uses AES-128-CBC for file encryption
  • Each file gets a unique AES key
  • AES keys are encrypted with an embedded RSA-2048 public key
  • Targets 113 file extensions including documents, images, and databases

Disk Encryption

  • Installs a modified DiskCryptor (legitimate open-source disk encryption tool)
  • The DiskCryptor driver (cscc.dat) is dropped and installed as a service
  • Encrypts the disk partition on reboot
  • A custom bootloader displays the ransom message

Lateral Movement

SMB Exploitation

BadRabbit attempted to spread via SMB using:

  • A hardcoded list of common usernames and passwords
  • Credential harvesting via a modified Mimikatz variant
  • EternalRomance exploit (MS17-010), similar to NotPetya

Credential Brute Force

The malware contained an embedded list of credentials commonly used in enterprise environments:

Administrator, Admin, Guest, User, User1
password, Password1, 123456, qwerty, etc.

Network Indicators

  • C2 server: caforssztxqzf2nm.onion
  • Payment site hosted on Tor
  • Ransom amount: 0.05 BTC (~$280 at the time)
  • 40-hour deadline before price increase

Relationship to NotPetya

Several technical similarities suggest a connection to the NotPetya operators:

  • Similar SMB lateral movement code
  • Overlapping credential harvesting techniques
  • Shared code structures in the dropper
  • Both targeted Ukrainian organizations
  • Security researchers linked both to the Sandworm group

Defensive Recommendations

  1. Block fake update prompts at the gateway level
  2. User awareness training for social engineering attacks
  3. Apply MS17-010 patches to prevent EternalRomance exploitation
  4. Disable WMI where not required
  5. Implement strong password policies to resist brute force
  6. Create vaccination files: C:\Windows\infpub.dat and C:\Windows\cscc.dat as read-only files prevent infection

Conclusion

BadRabbit demonstrated that even relatively simple infection vectors like fake software updates remain effective. The combination of social engineering, legitimate encryption tools, and credential harvesting made it a potent threat despite lacking the automated spreading capabilities of NotPetya.

BadRabbit Cyber Attack Malware Ransomware
Related

Related Research