The recent global outbreak of the “NotPetya” malware has some very curious features that have left security officials puzzled.
Despite the press coverage, NotPetya is not really a ransomware attack to hold your data hostage. It’s a killbot.
Several information security specialists have pointed a finger directly at Moscow; citing circumstantial evidence the source of NotPetya was the TELEBOTS group of hackers previously associated with attacks on Ukraine, in particular, the Ukraine power grid “BlackEnergy” attack. Others have noted the malware used features stolen from the US National Security Agency, specifically the EternalBlue exploit made famous by the previous WannaCry global ransomware attack.
First, the NotPetya attack does have components used by the Telebot attackers. According to Anton Cherepanov, a researcher at the Welivesecurity group, the NotPetya malware contains telltale clues in design that point toward the hacker group. Once executed, this ransomware-like design encrypts all files, except files located in the C:\Windows directory, using AES and RSA algorithms.
“As mentioned above, in the final stage of their attacks, the TeleBots attackers pushed ransomware using stolen Windows credentials and SysInternals’ PsExec. This new ransomware was detected by ESET products as Win32/Filecoder.NKH. Once executed, this ransomware encrypts all files (except files located in the C:\Windows directory) using AES-128 and RSA-1024 algorithms. The malware adds the .xcrypted file extension to already-encrypted files.” states the analysis published by ESET.
The malware deletes and overwrites the target files with a special software design called KillDisk. Telebot attackers have previously used the special KillDisk wiping system which appears inside NotPetya.
However, it is not just the KillDisk feature that points to the TELEBOT group. It is this feature combined with the poorly designed pay-off scheme inside NotPetya that indicates it is not ransomware at all but in fact a high-speed brick to destroy Windows data.
First, the NotPetya malware contains a single email address to contact the hacker which was quickly shut down in the first few hours of the attack. In addition, the Bitcoin area where the ransom was to be paid was easy to monitor, a very curious move by someone who wants to get money for crime. Finally, the data recovery section of the NotPetya malware was inoperable, leaving little chance of getting your data back even if the ransom was paid.
So, instead of being a kidnap your data scheme, NotPetya turned out to be a smash everything malware masquerading as a ransomware attack. Again, this charade of acting like a ransomware but actually being a destruction attack points toward the same MO (modus operandi) of the TELEBOT group.
While the NotPetya malware can use the stolen NSA EternalBlue exploit, which was later patched in a special Microsoft update, the prime method of spreading the attack was not the NSA software at all. Instead, NotPetya used common system features used inside some Microsoft networks to spread itself. One method is called PsExec, a light-weight telnet-replacement that lets you execute processes on other systems. PsExec is provided by Microsoft. The other method used by NotPetya is WMIC or Windows Management Instrumentation Command-line that is also provided by Microsoft.
The use of Microsoft-provided tools allowed NotPetya to spread undetected. The EternalBlue exploit has a known signature and can be detected by security and anti-virus software. Instead of drawing attention and perhaps even alerting the targets, the NotPetya designers utilized a special version of the Mimikatz tool to steal passwords and logins and then ran the PsExec and WMI software tools provided by Microsoft to move and replicate in a stealth fashion, undetected by anti-virus and security software.
“Specifically, the malware had an embedded Mimikatz DLL that it used to extract Windows account credentials from the memory of a compromised PC. With these credentials, the malware started to spread inside its host network using SysInternals’ PsExec utility.” continues the analysis.
The use of WMI and PsExec to move across a network is also a known signature of several malware designers including the TELEBOT group.
It is also clear the NotPetya software started with a very specific attack on the Ukraine. The initial attack was contained inside false updates tied to financial software used by the Ukraine called M.E.Doc. M.E.Doc software is one of only two software packages available for businesses have to pay their taxes in Ukraine. The attackers elected to concentrate against the M.E.Doc package because it appears they may have previously penetrated the small firm that distributed it and it was likely that a large number of users would have the software. Again, the intimate knowledge of Ukraine software updates and operations indicates that the TELEBOT group may have been the culprit.
However, what appears to not have been anticipated was that many of the Ukraine businesses included international partners with vulnerable connections on a global scale. The NotPetya virus spread through this international VPN and network connections to various companies around the globe including the US, UK, Australia, and Russia. It is this last nation-state attack by NotPetya that provided the awkward but convenient plausible deniability for Moscow that the malware wasn’t their doing.
This could be true since Moscow is known to work with a wide variety of hacker groups, some of which operate independently of Kremlin orders and often for their own profit. Russia employed such privateer hackers during the 2008 war against Georgia. The hackers were able to bring down a wide variety of Georgian targets including government communications and private companies which distributed power generators.
However, the privateers also were forced to live off the land so to speak. In order to finance many of the attacks, the groups utilized stolen US credit card information. The use of US money to finance an information warfare operation against Georgia did not sit well inside Washington and perhaps was one reason why the then Bush administration responded to deter Moscow from further combat.
It is not unfair to point out that other nations including the US, UK, China, and Israel have also been known to utilize privateer hackers for national security or nation-state style strikes. Many smaller nations which have limited resources in these areas have also employed private, often nefarious, hacker groups to penetrate political opponents, uncover leakers and distrust journalists. Sometimes when these attacks are revealed, the resulting scandal can damage the ruling party such as in the recent case of cyber attacks by the Mexican government.
However, the lack of pay-off for NotPetya to the designers shows at very worst it was a poorly designed nation-state attack that went out of control. Nation-state actors should take heed from the lessons of NotPetya and WannaCry. The fact is that software “weapons” can have collateral damage that extends far from the intended original target. Soft-warfare weapons are much like their bio-warfare cousins, they can spread and even attack the hand that created them.
(Security Affairs – NotPetya , intelligence)