Weekly Executive Summary for Week June 30, 2017

By Joseph Lorenz on June 30, 2017

What is it? Ransomware

What has it been dubbed? Petya | Petrwrap | NotPetya | exPetr | Petya 2.0 | GoldenEye

What does it do?

Ukraine, Russia, and Western Europe were heavily affected, though it seems that Ukraine seems to have been hit the hardest. Unlike WannaCry and numerous other versions of ransomware, Petya doesn’t encrypt files one-by-one singularly. Instead, it overwrites (MBR) Master Boot Record and encrypts the (MFT) Master File Table and the MBR to render the system unusable.

Uses an SMB(Simple Message Block) vulnerability known as “Eternalblue”, to spread through internal networks(was patched in Microsoft’s MS17-010 security bulletin). If the EternalBlue exploit can’t be used, the malware attempts to use internal Windows tools PSExec and Windows Management Instrumentation Command-Line (WMIC) to spread internally within an infected network. The final attack vector(which is how the malware is initially spread) is through the update management system of a Ukrainian financial tech company that makes accounting software for companies named “MeDoc”.

The malware attempts to capture credentials from Admin accounts. A single infected system that has administrative privileges could spread the ransomware to other connected systems.  

How does it do it?

Initial infection can be delivered via one of many vectors. One of the ways observed by researchers is through Phishing emails with malicious word “.docs” files. One of the most effective methods of delivery were through an update management server in a popular Ukrainian financial tech company called MeDoc.

network diagram

Source: cybereason

Once infected, the malware tries to propagate in numerous ways, one being the EternalBlue exploit, an exploit that has come from the infamous NSA FuzzBunch leak. The next method of delivery that has been observed is the EternalRomance exploit, which also takes advantage of a SMB1 vulnerability and gives the malware System privileges.

NotPetya enumerates all network adapters, known server names(via NetBIOS), and retrieves a list of current (DHCP) Dynamic Host Configuration Protocol leases(if that information is available). Every IP address/server is checked on the local network to see if TCP ports 445(NetBIOS over TCP/IP)/139(NetBIOS) are open(These are used in SMB protocol and the EternalRomance and EternalBlue exploit). The ransomware uses a custom version of “Mimikatz”(a module that can be found in metasploit) to try and extract administrator credentials. These credentials are used with “PsExec” or “WMIC”, which are both native windows tools that can be used to spread the infection.

The malware waits 10 – 60 minutes after initial infection to reboot the system, either through Windows tools like “at” or “schtasks” and “shutdown.exe”, or by forcing a hard error to force the system to crash and reboot.

code snippet of malware

Source: SecureList

Once the system reboots the encryption of the MFT table in NTFS partitions takes place, and the user is prompted with a fake Check Disk operation.

fake chkdsk screenshot

Source: malwarebytes

This gives the malware more time to do it’s nefarious tasks. The MBR is encrypted/overwritten using AES-128 encryption with a customized loader and the ransom note. The key for encryption is encrypted with an embedded public key, Base64 encoded, then added to the README.TXT file. 

The cybercriminals are demanding $300 USD worth of bitcoins to decrypt data on a victims systems.

ransomware note

Source: malwarebytes

One of the differences between Petya and NotPetya is the ransom note left on a system by the malware. The Petya ransom message has a fake CHKDSK message and there is a skull shape created by American Standard Code for Information Interchange (ASCII) text right after the message. NotPetya seems to be missing the skull and the actual ransom demands of the message have changed.

Ransom note code

Petya ransom note

Source: Fortinet

NotPetya ransom note

NotPetya ransom note

List of Windows functions commonly used by malware and found in sample:

  • ConnectNamedPipe – Used to create a server pipe for interprocess communication that will wait for a client pipe to connect. Backdoors and reverse shells sometimes use ConnectNamedPipe to simplify connectivity to a command-and-control server.
  • GetProcAddress – Retrieves the address of a function in a DLL loaded into memory. Used to import functions from other DLLs in addition to the functions imported in the PE file header.
  • LoadLibraryW – Loads a DLL into a process that may not have been loaded when the program started. Imported by nearly every Win32 program.
  • GetVersionExW – Returns information about which version of Windows is currently running. This can be used as part of a victim survey or to select between different offsets for undocumented structures that have changed between different versions of Windows.
  • LoadResource – Loads a resource from a PE file into memory. Malware sometimes uses resources to store strings, configuration information, or other malicious files
  • OpenProcess – Opens a handle to another process running on the system. This handle can be used to read and write to the other process memory or to inject code into the other process.
  • LoadLibraryA – Loads a DLL into a process that may not have been loaded when the program started. Imported by nearly every Win32 program.
  • PeekNamedPipe – Used to copy data from a named pipe without removing data from the pipe. This function is popular with reverse shells.
  • CreateFileA – Creates a new file or opens an existing file.
  • GetTickCount – Retrieves the number of milliseconds since bootup. This function is sometimes used to gather timing information as an anti-debugging technique. GetTickCount is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.
  • CreateFileW – Creates a new file or opens an existing file.
  • DeviceIoControl – Sends a control message from user space to a device driver. DeviceIoControl is popular with kernel malware because it is an easy, flexible way to pass information between user space and kernel space.
  • GetWindowsDirectoryW – Returns the file path to the Windows directory (usually C:Windows). Malware sometimes uses this call to determine into which directory to install additional malicious programs.
  • CryptAcquireContextA – Often the first function used by malware to initialize the use of Windows encryption. There are many other functions associated with encryption, most of which start with Crypt.
  • AdjustTokenPrivileges – Used to enable or disable specific access privileges. Malware that performs process injection often calls this function to gain additional permissions.
  • GetAdaptersInfo – Used to obtain information about the network adapters on the system. Backdoors sometimes call GetAdaptersInfo as part of a survey to gather information about infected machines. In some cases, it’s used to gather MAC addresses to check for VMware as part of anti-virtual machine techniques.
  • gethostbyname – Used to perform a DNS lookup on a particular hostname prior to making an IP connection to a remote host. Hostnames that serve as command- and-control servers often make good network-based signatures.
  • connect – Used to connect to a remote socket. Malware often uses low-level functionality to connect to a command-and-control server.
  • inet_addr – Converts an IP address string like 127.0.0.1 so that it can be used by functions such as connect . The string specified can sometimes be used as a network-based signature.
  • recv – Receives data from a remote machine. Malware often uses this function to receive data from a remote command-and-control server.
  • send – Sends data to a remote machine. Malware often uses this function to send data to a remote command-and-control server.
  • WSAStartup – Used to initialize low-level network functionality. Finding calls to WSAStartup can often be an easy way to locate the start of network-related functionality.

Conclusion:

The ransomware known as Petya, has been seen as early as 2016. It has been coupled with FuzzBunch exploits like “EternalBlue” and “EternalRomance” in recent cyber attacks that affected businesses around the world. This proved that many systems were still vulnerable to the SMB vulnerabilities that Microsoft addressed in their MS17-010 security patch.

The Petya variant didn’t accumulate a large sum of funds, with the total current bitcoin wallet equating to around $10,000 USD. The email linked to the ransom note “wowsmith123456@postco.net” was shutdown quickly after the initial attacks. These could be a strong indication that the intent of the malicious code was to be more disruptive/destructive than profitable.

NotPetya differs from wannacry in it’s initial infection dispersal also. Wannacry was distributed to a small set of systems, then it spread to other systems locally and searched for remote vulnerable systems. Though the Petya variant was distributed to a number of systems, then spread only through internal networks. This could prove that this attack was targeted and more focused, compared to the wannacry ransomware and its copycats.

Checkout the Best Practices article on prevention tips : https://westoahu.hawaii.edu/cyber/weekly-executive-summary-for-week-of-june-30-2017/

Sources:

https://securelist.com/schroedingers-petya/78870/ (SecureList)

https://blog.kaspersky.com/new-ransomware-epidemics/17314/ (KasperSky)

https://www.malwaretech.com/2017/06/petya-ransomware-attack-whats-known.html (MalwareTech)

https://www.cybereason.com/blog-petya-like-ransomware-attack-what-you-need-to-know/ (Cybereason)

https://blog.malwarebytes.com/cybercrime/2017/06/petya-esque-ransomware-is-spreading-across-the-world/ (Malwarebytes)

https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/ (Carbon Black)

https://www.symantec.com/connect/blogs/petya-ransomware-outbreak-here-s-what-you-need-know (Symantec)