Microsoft
has made a definitive link between MEDoc and initial distribution of
the Petya ransomware. Kaspersky Lab, meanwhile, has identified a…
has made a definitive link between MEDoc and initial distribution of
the Petya ransomware. Kaspersky Lab, meanwhile, has identified a…
threatpost.com
Join Kaspersky Lab and Comae Technologies Thursday June 29, 2017
at 10 a.m. Eastern time for a webinar “The Inside Story of the
Petya/ExPetr Ransomware.” Click here to attend.
While Microsoft and others continue to shore up links between yesterday’s global ransomware outbreak
and the update mechanism for Ukrainian financial software provider
MEDoc, others are finding even more distribution vectors used by the
malware.
Kaspersky Lab last night said that a government website for the city
of Bakhmut in Ukraine was compromised and used in a watering hole attack
to spread the malware via a drive-by download.
“To our knowledge no specific exploits were used in order to infect
victims. Instead, visitors were served with a malicious file that was
disguised as a Windows update,” Kaspersky Lab said in a statement. “We
are investigating other leads in terms of distribution and initial
attack vector.”
The ransomware, which shares similarities to the destructive Petya strain
that surfaced in 2016, is also being spread using the leaked NSA
EternalBlue and EternalRomance exploits, infecting machines that still
have not applied the MS17-010
Microsoft update that patches a handful of SMBv1 vulnerabilities
targeted by the exploit. Unlike WannaCry, which had worming capabilities
that allowed it to spread rapidly across the internet, this attack
spreads itself only locally using a pair of Windows utilities, PSEXEC
and WMIC, to do so, allowing it to infect machines patched against the
vulnerabilities exploited by EternalBlue.
Like Petya, this attack overwrites the Master File Table and Master Boot Record on computers it infects. One organization
reports that one unpatched machine was the culprit at its location,
adding that it lost PCs due to a corrupted MBR, while other machines
were showing the ransom note.
Researcher Matt Suiche of Comae Technologies said the malware is more
wiper than ransomware, akin to Shamoon, the wiper malware behind the
attacks on Saudi Arabia’s Aramco oil company. Suiche said this malware
destroys the first 25 sector blocks of a hard disk, and the MBR section
of the disk is purposely overwritten with a new bootloader.
“The ransomware was a lure for the media, this version of Petya
actually wipes the first sectors of the disk like we have seen with
malwares such as Shamoon,” Suiche wrote in an analysis
published today. “The goal of a wiper is to destroy and damage. The
goal of a ransomware is to make money. Different intent. Different
motive. Different narrative.”
Victims, meanwhile, continue to make payments in a futile attempt to
recovery their lost hardware and data. German host Posteo said yesterday
that it shut down the attacker’s email account,
wowsmith123456@posteo.net, which prevents victims from contacting the
entity behind the attack in order to send them their Bitcoin wallet
address and infection ID in order to verify payment of the $300 ransom.
Microsoft, meanwhile, says it has definitively linked MEDoc as an initial infection vector, which MEDoc denied in a Facebook post Tuesday.
“The development team denies this information and argues that such
conclusions are clearly erroneous, because the developer of m.e.doc, as a
responsible supplier of the software, monitors the safety and
cleanliness of its own code,” MEDoc said.
MEDoc, which sells tax accounting software, was identified by
Ukraine’s Cyber Police as the source of the outbreak. Cisco and
Kaspersky Lab also implicated the company, saying that its software
update system had been compromised and was serving up the ransomware in
phony updates.
“We observed telemetry showing the MEDoc software updater process (EzVit.exe) executing
a malicious command-line matching this exact attack pattern on Tuesday,
June 27 around 10:30 a.m. GMT.,” Microsoft said in a Technet blog on Tuesday. Microsoft said that the EzVit.exe process from MEDoc executed the command line: C:\\Windows\\system32\\rundll32.exe\” \”C:\\ProgramData\\perfc.dat\”,#1 30
Below is a representation of the execution chain from Microsoft.
The ransomware, which has been given many names including NotPetya,
ExPetr, PetrWrap, GoldenEye and others, is much more complex than
WannaCry given its ability to move laterally once on a local network.
Microsoft said the ransomware begins by dropping a
credential-stealing tool similar to Mimikatz looking for valid admin or
domain credentials. It then scans subnets looking for open port 445 or
139 connections.
“A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call DhcpEnumSubnets() to enumerate DCP subnets all hosts on all DHCP subnets before scanning for tcp/139 and tcp/445 services,”
Microsoft said. “If it gets a response, the malware attempts to copy a
binary on the remote machine using regular file-transfer functionalities
with the stolen credentials. It then tries to execute remotely the
malware using either PSEXEC or WMIC tools.”
Another scan looks for admin$ shares before the ransomware copies
itself on the network and executes using PSEXEC in what amounts to
pass-the-hash attacks, Microsoft said.
“In addition to credential dumping, the malware also tries to steal credentials by using the CredEnumerateW function to get all the other user credentials potentially stored on the credential store. If a credential name starts with “TERMSRV/” and
the type is set as 1 (generic) it uses that credential to propagate
through the network,” Microsoft said. “This ransomware also uses the
Windows Management Instrumentation Command-line (WMIC) to find remote
shares (using NetEnum/NetAdd) to spread to. It uses either a
duplicate token of the current user (for existing connections), or a
username/password combination (spreading through legit tools).”
Experts continue to stress the importance of applying the MS17-010
update to unpatched machines, and advise disabling PSEXEC and WMIC on
local networks.
New Petya Distribution Vectors Bubbling to Surface | Threatpost | The first stop for security news
