Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0093.2
A new Ransomware variant with worm like capabilities has infected many
companies in Europe and a couple in the United States.
28 June 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Windows
Operating System: Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2017-0144 CVE-2017-0199
Member content until: Friday, July 28 2017
Reference: ASB-2017.0033.2
ESB-2017.0661
Revision History: June 28 2017: Major updates and added Indicators of
Compromise (IoC)
June 28 2017: Initial Release
OVERVIEW
A new Ransomware variant with worm like capabilities has infected
many companies in Europe and a couple in the United States.
The media is calling it "Petya" but it is not similar to the Petya
variants seen before. [1]
Cisco's TALOS group have given the following additional details on the
propagation methods[6].
"As part of the propagation process, the malware enumerates all visible
machines on the network via the NetServerEnum and then scans for an open
TCP 139 port. This is done to compile a list of devices that expose this
port and may possibly be susceptible to compromise.
The malware has three mechanisms used to propagate once a device is
infected:
EternalBlue - the same exploit used by WannaCry.
Psexec - a legitimate Windows administration tool.
WMI - Windows Management Instrumentation, a legitimate Windows
component.
These mechanisms are used to attempt installation and execution of
perfc.dat on other devices to spread laterally.
For systems that have not had MS17-010 applied, the EternalBlue exploit
is leveraged to compromise systems. We have written about this
previously in our coverage of WannaCry.
Psexec is used to execute the following instruction (where w.x.y.z is an
IP address) using the current user's windows token to install the
malware on the networked device. Talos is still investigating the
methods in which the "current user's windows token" is retrieved
from the machine.
C:\WINDOWS\dllhost.dat \\w.x.y.z -accepteula -s -d C:\Windows\System32\rundll32.exe C:\Windows\perfc.dat,#1
WMI is used to execute the following command which performs the same
function as above, but using the current user's username and password
(as username and password). Talos is still investigating how the
credentials are retrieved from the machine at this time.
Wbem\wmic.exe /node:"w.x.y.z" /user:"username" /password:"password" "process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\perfc.dat\" #1"
IMPACT
According to our colleagues at BI.ZONE-CERT and the Hybrid Analysis
report of the malware sample [2]:
"The malware clears system logs using the following command:
"wevtutil cl Setup & wevtutil cl System & wevtutil cl Security &
wevtutil cl Application & fsutil usn deletejournal /D %c:" to make
further analysis more difficult.
It also writes its code to Hard Drive MBR, initiates system reload and
adds reload commands to Windows planner ("schtasks" and "at"
commands).
After the system is reloaded the malware downloads its code from MBR
and encrypts data on the hard drive (File allocation table is
encrypted, we are currently investigation what else is being encrypted).
If the computer is shut down before the reload, MBR can be
reestablished with "bootrec /FixMbr" command. (in Vista+, for Windows
XP "fixmbr" can be used).
In case the privileges are not high enough to rewrite MBR, the files
are encrypted without a system reload. The list of file types that
are encrypted:
3ds,7z,accdb,ai,asp,aspx,avhd,back,bak,c,cfg,conf,cpp,cs,ctl,dbf,disk,
djvu,doc,docx,dwg,eml,fdb,gz,h,hdd,kdbx,mail,mdb,msg,nrg,ora,ost,ova,
ovf,pdf,php,pmf,ppt,pptx,pst,pvi,py,pyc,rar,rtf,sln,sql,tar,vbox,vbs,
vcb,vdi,vfd,vmc,vmdk,vmsd,vmx,vsdx,vsv,work,xls,xlsx,xvd,zip."
MITIGATION
Most Anti-Virus vendors now have signatures for this ransomware sample
but other samples with similar characteristics may not have proper
detection rates. [3]
We recommend patching for the MS17-010 (CVE-2017-0144) vulnerability of
all your Windows machines if it has not be done yet. [4]
Microsoft has also advised on how to disable smbv1 which can be
an additional mitigation. [5]
A potential (unverified by AusCERT) kill switch has been found within
the samples:
The creation of the file "C:\Windows\perfc". [7]
Additional information shows that the killswitch requires the following:
"Simply, all that is needed are 3 files
(perfc, perfc.dll, and perfc.dat) to already exist on the Windows
machine, under C:\Windows, with READONLY permissions." [8]
We would like to stress that paying the ransom will not result in the
decryption key being handed over.
INDICATORS
category type value comment
Artifacts dropped named pipe {df458642-df8b-4131-b02d-32064a2f4c19}
Payload delivery sha256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f 64-bit EXE
Payload delivery sha256 eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998 32-bit EXE
Payload delivery sha256 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1 main 32-bit DLL
Payload delivery sha256 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 main 32-bit DLL => Ref: petwrap.exe
Network activity ip-dst 95.141.115.108
Network activity domain coffeinoffice.xyz
Network activity ip-dst 185.165.29.78
Network activity domain french-cooking.com
Network activity domain sundanders.online
Network activity ip-dst 84.200.16.242
Network activity ip-dst 111.90.139.247
Payload delivery filename dllhost.dat
Internal reference text "Initial Information provided by CIRCL.LU"
Network activity url http[:]//french-cooking[.]com/myguy[.]exe Ref: myguy.xls
Payload delivery filename myguy.xls
Network activity url http[:]//84[.]200[.]16[.]242/myguy[.]xls Ref : Order-20062017.doc
Payload delivery filename Order-20062017.doc
Artifacts dropped filename myguy[1].hta
Payload delivery sha256 fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206 Ref : Order-20062017.doc
Payload delivery sha256 ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6 Ref : myguy.xls
Artifacts dropped filename C:\0487382a4daf8eb9660f1c67e30f8b25.hta Ref : myguy.xls
Payload delivery filename petwrap.exe Ref : Downloaded exe from activity of myguy.xls
Artifacts dropped filename C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll Ref : petwrap.exe
External analysis link https://www.hybrid-analysis.com/sample/fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206?environmentId=100 Ref : Order-20062017.doc
Antivirus detection link https://www.virustotal.com/en/file/fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206/analysis/ Ref : Order-20062017.doc
External analysis link https://www.hybrid-analysis.com/sample/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6?environmentId=100 Ref : myguy.xls
Antivirus detection link https://www.virustotal.com/en/file/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6/analysis/ Ref : myguy.xls
External analysis link https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 Ref : petwrap.exe
Antivirus detection link https://www.virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/ Ref : petwrap.exe
Network activity url http://84[.]200[.]16[.]242/Profoma[.]xls 2nd Stage
Network activity url http://84[.]200[.]16[.]242/Lucky[.]exe 2nd Stage
REFERENCES
[1] Petya Ransomware Outbreak Goes Global
https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/
[2] petwrap.exe
https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
[3] 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
https://www.virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/
[4] Microsoft Security Bulletin MS17-010 - Critical
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
[5] How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and
Windows Server
https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows
[6] Unverified kill switch for WMI pivot
https://twitter.com/0xAmit/status/879778335286452224
[7] PETYA KillSwitch
https://github.com/petermbenjamin/petya-killswitch
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWVMqFIx+lLeg9Ub1AQhArxAAiRJHpnW22yPex0yOnNOX3VsTXCmYDRQU
wNmKUKXBtXK4AWEoAjfWzT4+z6X7KFpdany47a4gLi+CYyd2mCUP6JZbdKEFnOcB
XmZ8SVGrBGnW81Fa8fKQ6bYluuO3ctSuvQNEaCwCmfw6yzYzhxCDhMMLWK5gwbGR
/t83JhUJhyIvXwwst7DmFU4k691iD28dYYSaURwrGC3rmegRuWMhJE4cN5pdywbQ
jrWX72DDUq/9wDAoLiYvegHyRg73fGNZ6jRu7iqLjiBI/0iVny6O7SuUD6ph39xD
spluf1rGpgfPD5Oz2f1v/vib39sNSPb2mYrAZAecpMI3j5O0e69NzU1LSvVwoDna
OKW6mWvS4+aTx+Ch/mFk9kCM/7Gp68NcEZXzrZ1lzldw00L+WRwXJs0KtprLgFwF
5COYty/Bh4+udwrSBhD6WxJCPDTuBQm9uASS40str4gWddMSFFZYjMffo5M52UoQ
0uvrPyTusXC6uOixvpbWG5Mx1cX7KHtw4yFTtMX8SzCUqu0tZ6pUntVD2V/9+cO9
KRXcvkJTOSZU5oqwxAw69NOMbhDimVykrS/36xfm9fBd3C0/U6vRL8lHgvQDAqF0
dt//SfdvIZP/TRzHtHUctAuaKC8OwADyRhm5utbilVmLey6d5R1JUSky8HCja/Lq
mK2Lh0OxBKE=
=sbk3
-----END PGP SIGNATURE-----