Friday, 27 October 2017

Bad Rabbit Ransomware or Evolution of NotPetya


BadRabbit launched on the morning of Tuesday, October 24, 2017 was delivered through drive-by downloads of the fake Adobe Flash Player installer from the hacked websites. The installer came undetected with a Symantec digital certificate and 1 out of 65 detection rate on VirusTotal. The Bad Rabbit ransomware having the similar set of features and code snippets to the NotPetya wiper can be considered like its new version supposedly created by the same author. In the new version, the legitimate DiskCryptor driver used to install the bootloader and encrypt the hard disk volumes in a hidden way.

Main outcomes:
  • The BadRabbit is a new version of NotPetya, supposedly written by the same author;
  • It's a cryptolocker - you can unlock the computer and decrypt the data only by paying 0.05 BTC;
  • This is not a targeted attack, unlike NotPetya
  • The BadRabbit is distributed over the local network using the EternalRomance vulnerability in SMB1, WMI, WebDAV, brute-force with simple passwords through NTLMSSP
  • The BadRabbit uses the legitimate DiskCryptor driver
Read the full report for more details.

Monday, 2 October 2017

VB2017: Battlefield Ukraine


This summer, Ukraine unwillingly became the battlefield of the hacker group(s) with the supposedly Russian roots and the antivirus industry. This is not the first time when Ukraine attracts attention of cyber security experts. Suffice it to recall in this regard the several waves of cyber attacks against critical infrastructure of Ukraine using the BlackEnergy [1] and Industroyer [2,3] industrial malware supposedly created by a Russian hacker group.

Thursday, 14 September 2017

Facebook video scam continues spreading undetected


Facebook and Google Docs continue to be used by scammers as a delivery channel for malware and adware.


In October 2016, Facebook users were sent the links to supposedly adult videos [1] that can be played from a fake Youtube portal only when a target downloads and install the malicious Video Plugin.

In August 2017, the same attack vector is used to spread adware [2].

And today, I saw the following message on my Facebook arrived from the hacked mobile Facebook app of one of my students in past. In addition to the message, I and other victim’s friends were marked in the comment to the post with a fake video.

Thursday, 10 August 2017

Serpent Ransomware Analysis

The new Octopus cryptolocker being an offspring of the Serpent/Zyklon/WildFire/HadesLocker families shows that .NET ransomware can be not an easy meat for a reverse engineer. It leverages several types of obfuscation, code encryption, and anti-debugging to protect its C# code from decompilation and analysis.

Monday, 7 August 2017

Spora Ransomware Analysis



Similar to Cerber (Ferber) ransomware, Spora has its own intricate encryption file format and does not encrypt the whole file. The encryption block size varies depending on a file size.

Friday, 28 July 2017

New variant of Cerber ransomware (Ferber) analyzed


This summer Cerber is on duty. It comes via spear-phishing emails, bypasses antiviruses leveraging polymorphic encryption and API calls obfuscation. The cryptolocker can be easily customized for every target by embedding the JSON-formatted configuration data encrypted with RC4-128 (the decrypted config is on Github for cfd2d6f189b04d42618007fc9c540352). The file encryption scheme 'master RSA-2048 key'-> 'session RSA-880' -> 'file's RC4-128' used by Cerber is not breakable. Cerber scans the IP ranges specified by CIDRs in the config for the C&C server. 

Wednesday, 12 July 2017

Targeted attack with PowerShell ransomware comes undetected


The undetected PowerShell ransomware was used to attack the popular German car dealer. The attack launched through the spear phishing email looked like a mail delivery notification.