Down the BadRabbit Hole: Ransomware Delivered by Fake Flash Updates

Posted November 9, 2017

In the past few weeks, a new strain of self-propagating ransomwareRansomware: A type of malicious software designed to block access to a computer system until a sum of money is paid. dubbed BadRabbit emerged via infected media and government websites, primarily located in Russia and the Ukraine. This strain of malwareMalware: Software that is intended to damage or disable computers and computer systems. is being closely compared to WannaCry and NotPetya for how it’s infected and impacted organizations.

BadRabbit is delivered via drive-by download from sites infected with malicious JavaScript. The malicious script harvests user data, including device type and location, sends it back to the attacker, and then presents a pop-up window disguised as a Flash Player Update Installer. When the user clicks to install the update, the malware dropper is installed instead.

Fig. 1: Pop-up window for Adobe Flash Player Update

With ransomware continuing to dominate security news in 2017, organizations need to arm themselves with as much knowledge as they can to prevent falling victim to attacks.

Drop It Like It’s Hot

Once dropped onto the victim’s computer, BadRabbit encrypts the host’s files and presents a message with instructions on how to pay the ransom.  This message is visually similar to the message associated with NotPetya.

Fig. 2: Encryption message

You Have to Pay to Play

As common with most ransomware attacks these days, BadRabbit requests payment in bitcoin, specifically 0.05 BTC or $285 USD.  All the user has to do is get some bitcoin and visit the attacker’s “onion” website on the DarkNet to pay the ransom.

It’s Engineered to Spread Throughout Your Network

BadRabbit is not content with sticking to the original infected host. Instead, it leverages SMB communications to search for other hosts on the network. This means once the ransomware is on your network, it can spread to other devices.

Fig. 3: SMB Access

How Does Game of Thrones Fit In?

One of the more unique aspects of BadRabbit is that the malware contains at least three references to dragons from the Game of Thrones: Viserion, Drogan, and Rhaegal. The “product name” of the malware is GrayWorm, a character featured in the series. LookingGlass’ threat operations team isn’t reading too much into this aside from the attacker being a fan of the popular series Game of Thrones.

Fig. 4: Game of Thrones Reference

Avoiding the Rabbit Hole

Preventing your networks from becoming infected by ransomware starts with cyber safety awareness training for both employees and vendors. Organizations should also consider automated defenses that can identify and immediately block known bad before it enters your walls.

Some more general mitigation approaches you should take include:

• Disable pop-up windows in browsers.
• Update anti-virus signatures.
• Maintain regular back-ups of data.

Specific to Bad Rabbit, organizations should block the following domains and file hashes:

• Domains
  • hxxp://185.149.120.3/scholargoogle
  • hxxp://1dnscontrol.com
  • hxxp://caforssztxqzf2nm.onion
• File Hashes
  • fbbdc39af1139aebba4da004475e8839
  • 1d724f95c61f1055f0d02c2154bbccd3
  • b14d8faf7f0cbcfad051cefe5f39645f
  • B4E6D97DAFD9224ED9A547D52C26CE02