In the past weeks, we have seen interesting developments on the use of malicious code against business victims.
Generally, businesses are victims of Trojans or Ransomwares via massive spam (botnet) or by more subtle mailing (mimicking business entities).
Worms were a thing of the past until Wannacry (or Wannacrypt) ransomware appeared in May. Its use of the devastating Windows SMB vulnerability fixed in March (MS17-010) lead to the most massive ransomware infection as of today.
Its mode of propagation is pretty blunt compared to other common malwares. It’s not what we were used to see, especially for ransomwares.
Today, we’re coming to an age of massive, destructive and coordinated release of malwares against companies and governmental entities.
NotPetya was the latest occurrence of this type of malware.
1 – Situation triggered in Ukraine
On the 27/06/2017, the attack first nicknamed “Petya” lead to a massive infection of computers mainly in Ukraine, Russia and more marginally European countries.
Big international companies were hit hard like Maersk (Danish maritime transport company).
The first infections seemed to be correlated to the use of the accounting software called “M.E.Doc” ; which is developed by a Ukrainian, Kiev-based company called “Intellect Services“. Later reports corroborated this hypothesis, like ESET or by reviewing the company logs by Cisco Talos unit.
The malicious actors behind this attack, used the update system of M.E.Doc, in order to include a backdoor inside a new version of the software. This backdoor used the update server as a proxy C&C server ; thus permitting to access infected computer and distribute malware selectively.
Indeed, the code included a modified DLL library which contained functions permitting to relay ERDPOU (legal entity code in Ukraine) to the attackers. In this way, malicious files could be dropped on specific companies based on the ERDPOU.
Three compiled updates contained this backdoor on the 14th of April, 15th of May and 22th of June
Another ESET article (Link with older threats-BlackEnergy – ESET) indicated that a ransomware called AES.NI (or XData) was released in the vicinity of the 15th of May.
It’s seems that the infection was limited and the ransomware creator released the master key a few days later (see Bleeping Computer).
So, it seems that the ERDPOU pinpoint targeting was used in this first wave of infection.
There is no indication of exploitation of the first backdoor deployed with the 14th of April update (there was a window of 10 days to exploit it before a new update was deployed without the backdoor).
On the 22/06 backdoor delivery and onward, attackers released several other ransomware:
- First: a .NET clone of Wannacry, also called “FakeCry” which was compiled on the 01/01/2016 (spoofed obviously) was released around and received payments beginning on the 26/07/2017 21:00 UTC (Bitcoin wallet: 13KBb1G7pkqcJcxpRHg387roBj2NX7Ufyf), Kaspersky indicates it appeared on the 27/06/2017 at 12:34 UTC
- Second: a clone of Petya ransomware (Goldeneye Petya), compiled on the 18/06/2017, released on the 27/06/2017 beginning at 09:00 UTC and began receiving payment at 13:00 UTC (Bitcoin wallet: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX)
- Third: Possibility of another malware between the 27 and 29, the update server of M.E.Doc stopped to reply after 19:00 UTC (22 o’clock local time). Ukraine Interior Minister, Arsen Avakov indicated on the 4th of July, (Original FB post) the cyber police stopped a second wave of attack, could it be this one?
Only the second wave used a massive distribution mode for the NotPetya malware. Thus the ERDPOU targeting seems to have been skipped entirely in this case.
The massive ransomware outbreak that followed hit first Ukraine, then Russia and other European countries. We can consider the last two as collateral damages, knowingly targeted or not by attackers.
2 – What makes NotPetya different from other threats?
Quickly after the ransomware outbreak of the 27th, the anti-malware community analyzed the samples. They pointed several outliers in this threat.
These can be summed-up as such:
- The ransomware used a MBR encryption looking like Petya
- It contained the phrase “Oops, your files have been encrypted” which is a clear tribute to Wannacry
- It’s using a single Bitcoin address (1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX) and a single e-mail (wowsmith123456_at_posteo.net, quickly disabled) to send funds and decrypt the disk
- It used a modular architecture based on several components: user-mode crypter, MBR crypter, password retrieval (via a minimal Mimikatz) and network worm (using stolen domain credential via PSExec or WMI, it also uses the same SMBv1 vulnerability used by Wannacry)
- It’s wiping event logs, USN journals and in some cases first sectors of disk
- Its MBR crypter was patched from hexadecimal code and not from source code recompiling
- It detected the presence of Kaspersky antivirus to wipe the first physical sector of the disk
Most of the general public has been chocked by the news concerning the Wannacry infection and has been generally informed of the dangerousness of such malwares.
However, there is not the same picture with NotPetya (except for Ukraine). As its impact was limited to a few international companies and Eastern-European countries, it appeared as a lesser threat.
This is a totally wrong judgment in my opinion.
So what differentiate NotPetya from Wannacry and makes it more dangerous?
- It wasn’t using its worm component as the main infection vector
- It mainly impacted internal network and non Internet facing computers
- It was primarily relying on horizontal networks and bad password management for its propagation
- It could impact a lot more Windows OS (almost any), fully patched or not
- It used a known ransomware template to slow or disturb incident response
3 – Link to previous threats
As we have seen earlier, ESET identified the backdoor as being the medium used to distribute the ransomware.
They also identified infrastructure similarities between a Trojan known as “Telebots” and NotPetya. Also a VBS backdoor used by the “Telebots” group was potentially deployed via the M.E.Doc backdoor and used the C&C address: bankstat.kiev[.]ua. The DNS entry was changed on the 27/06 to route to 10.0.0.1.
In this article, there is also a link made to the BlackEnergy trojan.
This analysis was corroborated by Kaspersky, with a different approach. In this article, they indicated that similarities between NotPetya and BlackEnergy assembly code existed. They created a YARA rule to detect such similarities in other anti-malware company databases.
The ESET article also mentioned the malware known as KillDisk which used a picture and filename as a tribute to the TV show “Mr. Robot”.(https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/) The picture in itself is a feat, as it was traced using real-time computer graphic (much like demos).
This fake-ransomware is interesting because its goal was clearly to troll the user and the money was never a motive. Indeed, their wallet (1Q94RXqr5WzyNh9Jn3YLDGeBoJhxJBigcF) received a single payment of 0.1 USD on the 30/12/2016.
4 – What’s next?
We now have proof that The Shadow Brokers are patented trolls and the NotPetya attackers are following this tendency.
On the 4th of July (US independance day), they withdrew money from their Bitcoin wallet and sent donation to PasteBin and DeepPaste.
Later, the same message was posted on the two website indicating a ransom of 100 BTC (around 250k USD) for the release of the private master key.
They also posted details on a TOR hidden service serving a chat room connected to the group.
They later proved that they could decrypt several files of less than 1Mb. However, a flaw in their code may not work for files of more than 1 Mb. So the act is more trolling than a real redemption from the attackers.
The day after, Janus, the spokesperson for the group behind the “Goldeneye Petya”, released a coded statement:
— JANUS (@JanusSecretary) July 5, 2017
This is a quote from the GoldenEye movie, with Boris (the Russian hacker) showing his skills to Natalya (the Bond girl). The link contained the master key of all Petya ransomwares. Thus indicating he wasn’t associated with the NotPetya group.
So what should be the next step in this situation, especially in Ukraine? We have seen proof that the cyber security police team retrieved M.E.Doc servers (impressive demonstration of force), comments by various agencies speaking of an act which could lead to retaliation (CCDCOE, cyber agency of NATO) and tension between Kaspersky and US government.
We’re seeing more and more evidence of “cyber” operation by agencies worlwide.
It seems that nowadays there is a clash between two or more of these agencies which we’re just seeing the beginning.
Long before Snowden revelations, there was a story involving a Cuckoo’s Egg, acts of espionage against US army. Today we’re seeing operation targeting and impacting civilians, without any distinction.
Is this an age of cyber-chaos? Not really, I would say it’s mostly Psychological Operations (PSYOPS) against at war countries (like Ukraine), NATO community and more generally the World.
I’m pessimistic by nature and optimistic by reason, so I would say that something important is going to happen at the issue of this conflict.
@thegrugq one-tweet sum-up:
Someone had an implant on 80% of the businesses that operate in Ukraine, for months, and then they burned that in spectacular fashion
— the grugq (@thegrugq) July 7, 2017