Recently reports of a new ransomware malware known as Bad Rabbit was making headlines in the press. A suspected variant of NotPetya, Bad Rabbit spread quickly through IT networks in Europe and elsewhere.
Our research indicates that while Bad Rabbit infections started to be reported in late October, the group behind the attacks started creating an “infection-network” in July. While not reported as impacting industrial systems, industrial operators should take note of this attack and what it means for their cyber resiliency programs.
Bad Rabbit Infections Start with Employees Clicking on Trojan Adobe Flash Installer
The virus is disguised as an Adobe Flash installer, which pops up on the user’s screen, when they visit what they believe is a legitimate site. Given that the attackers are targeting media and news sites, that have previously employed Flash to enhance the visitor experience, this request to download an update may not immediately arouse suspicion. If the user follows the redirection the attack begins and the ransomware dropper downloads.
As soon as the victim executes the dropper, for which admin privilege is needed:
- A malicious DLL named infpub.dat is saved and is then run using the usual utility rundll32.
- The infpub.dat file tries to brute-force NTLM, a Microsoft authentication protocol, login credentials and download an executable dispci.exe, which appears to be derived from the well-known utility DiskCryptor code – a disk encryption module.
- The execution of the last file downloaded begins the encryption phase and the replacement of the bootloader as already seen in previous NotPetya attacks.
However, Bad Rabbit doesn’t cause a random diffusion from a single point of failure, which incidentally means the domain name used as a kill-switch in the WannaCry scenario does not apply. Instead, the virus appears to affect websites that seem to relate to the states in which the attackers wanted to spread the malware.
The time attackers have invested in the creation of their infection-network is typically crucial, particularly if they planned to execute an attack with specific targets while retaining anonymity as to the identity and/or origin of the group.
However, one saving grace is that Bad Rabbit is not installed automatically, which means that the attacker is reliant on users clicking on the malware to deploy the malicious code. This suggests a lack of preparation, and even ignorance of how ransomware attacks work, on the part of the assailants.
That said, it is important to recognize that employees can inadvertently become the weakest point in an organization when it comes to cyber security as all too often they are not aware of the threats faced nor the tactics attackers will use to dupe them
Bad Rabbit Shows Risk from Small Variants of Malware
Extortion through ransomware attacks is one of the oldest tricks in the hacker’s book, and even though organizations have adopted various protection mechanisms, these attacks remain successful.
Bad Rabbit is an example of how a small variant of vector attack, delivery method, etc., is enough to have similar effects comparable to previous scenarios (i.e. NotPetya, WannaCry, etc.)
The reality is that we will continue to see more of this kind of attack, given that it does not require the development of complex exploits, but simply the combination of open-source code that can be found by anyone.
It’s crucial that industrial organizations understand the bigger role employees play in securing company’s systems and data and start training them to recognize when something online looks suspicious. In addition, organizations need tools that will help them immediately identify when something ambiguous is happening within the infrastructure.
Tools Exist to Rapidly Detect Malware on Industrial Control Networks
Applying passive ICS monitoring tools that apply artificial intelligence and machine learning for real-time malware detection and response, such as our SCADAguardian product, goes a long way to mitigating the impacts of a virus like Bad Rabbit. It allows organizations to rapidly discover and act to remove malicious code and the risks posed before harm is done.
This article was originally published by Infosecurity magazine.
Related Content to Download
Nozomi Networks Industroyer Mitigation Brief
This brief explains:
3 main phases of Industroyer
How anomaly detection mitigates impacts
What YaraRules are and how they help
How “assertions” facilitate threat hunting
How real-time ICS monitoring provides cyber resiliency
- Reuters.com: Exclusive: Ukraine hit by stealthier phishing attacks during BadRabbit strike
- Blog: Defending Against Industroyer with ICS Anomaly Detection
- Data Sheet: SCADAguardian
- Solution Brief: Nozomi Networks
- Blog: Nozomi Networks Selected by FireEye for ICS Depth & Technical Excellence
Co-Founder and Chief Technical Officer
Armed with a Ph.D. in Artificial Intelligence and an extensive background in systems engineering and software development, Moreno Carullo has led the way in redefining the ICS cyber security product category. A long-time member of the IEC TC57 WG15 subcommittee, he is also actively working to shape cyber security standards for power system communication protocols. As Founder and Chief Technical Officer at Nozomi Networks, Moreno leads an exceptionally talented software development team that uses agile development to quickly address the cyber security requirements of enterprise customers and partners.