Bad Rabbit Ransomware leverages the NSA Exploit for lateral movements

Malware researchers at Cisco Talos team discovered the Bad Rabbit Ransomware leverages EternalRomance to propagate in the network.

New precious details emerge from the analysis of malware researchers at Cisco Talos and F-Secure who respectively discovered and confirmed the presence an NSA exploit in the Bad Rabbit ransomware.

On October 24, hundreds of organizations worldwide were hit by the Bad Rabbit ransomware, mostly in Russia and Ukraine.

The first reports on the ransomware revealed that the malicious code also relies on the Server Message Block (SMB) protocol to spread within the targeted network. Many experts excluded the use of the SMB exploits EternalBlue and EternalRomance for the lateral movements.

Previous reports confirmed that the Bad Rabbit ransomware does not use NSA-linked EternalBlue exploit, but researchers at Cisco Talos discovered the malicious code leverages EternalRomance to propagate in the network.

“Despite initial reports, we currently have no evidence that the EternalBlue exploit is being leveraged. However, we identified the usage of the EternalRomance exploit to propagate in the network. This exploit takes advantage of a vulnerability described in the Microsoft MS17-010 security bulletin. The vulnerability was also exploited during the Nyetya campaign.” reads the analysis published by the Talos team.

The EternalRomance vulnerability was patched by Microsoft in March 2017 with the release of the MS17-010 security bulletin that also fixed the EternalChampion, EternalBlue and EternalSynergy exploits.

Both exploits were disclosed by the Shadow Brokers hacker group earlier this year when the crew leaked a portion of the arsenal of the NSA-Linked Equation Group, a database containing hacking tools and exploits.

Almost every analysis produced since the discovery of the Bad Rabbit ransomware revealed many similarities between Bad Rabbit and NotPetya, including the targeting of Ukraine and Russia, the usage of Mimikatz tool, and the same type of file encryption.

However, while NotPetya is a wiper disguised by a ransomware, Bad Rabbit appears to be a real ransomware.

Another interesting aspect emerged by further analysis is related to the alleged planning of the attack that seems to be dated back months ago. Some of the compromised domains used in the Bad Rabbit ransomware attack had been set up since at least July 2017 and some of the injection servers were first seen more than a year ago.

According to malware researchers, NotPetya has been linked to BlackEnergy APT, for this reason, some experts suggest the same threat actor could be behind the Bad Rabbit ransomware.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Bad Rabbit ransomware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]