Huge "PETYA" Cyber Attack

By Unknown - June 27, 2017

A new Ransomware attack has been detected and is in progress. Few information is available right now ; the investigation is still in progress.

This alert will be updated when further information will be available.

Description

***********

Several information report this ransomware as a variant of Petya and Misha (also known as GoldenEye). The actual main targets are in Ukraine and Russia. Only few sample have been recently detected in France.

There are verified facts:

- it uses EternalBlue as an attack vector (CVE-2017-0143 [3])

- spreading via SMB post-exploitation

Post-exploitation, the ransomware perform the following actions:

* downloads the main binary at hxxp://185[.]165[.]29[.]78/~alex/svchost[.]exe

* clears the windows event log using Wevtutil (wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:)

- writes a message to the raw disk partition

- reboot the system at noon as a logic bomb (schtasks %ws/Create /SC once /TN "" /TR "%ws" /ST %02d:%02d ; at %02d:%02d %ws)

- after restarting, a message appears announcing system encryption and asking a Bitcoin $USD 300 ransom

- the binary uses a fake Microsoft digital signature [1]

- the Bitcoin wallet used in this attack [2]

- wowsmth123456[@]posteo.net is the email address used in this attack

Facts that need to be confirmed:

- checking privileges

> if it can runs as admin, it will encrypt MBR

> if not, it will encrypt files

The ransomware attempts to encrypt files that corresponds to the following file extensions:

[.]3ds,[.]7z,[.]accdb,[.]ai,[.]asp,[.]aspx,[.]avhd,[.]back,[.]bak,[.]c,[.]cfg,[.]conf,[.]cpp,[.]cs,[.]ctl,[.]dbf,[.]disk,[.]djvu,[.]doc,[.]docx,[.]dwg,[.]eml,[.]fdb,[.]gz,[.]h,[.]hdd,[.]kdbx,[.]mail,[.]mdb,[.]msg,[.]nrg,[.]ora,[.]ost,[.]ova,[.]ovf,[.]pdf,[.]php,[.]pmf,[.]ppt,[.]pptx,[.]pst,[.]pvi,[.]py,[.]pyc,[.]rar,[.]rtf,[.]sln,[.]sql,[.]tar,[.]vbox,[.]vbs,[.]vcb,[.]vdi,[.]vfd,[.]vmc,[.]vmdk,[.]vmsd,[.]vmx,[.]vsdx,[.]vsv,[.]work,[.]xls,[.]xlsx,[.]xvd,[.]zip,[.]

In order to help detection and identification of this ransomware, here is a non exhaustive list of indicators of compromise (IoC):

* SHA256 hashes

- 8143d7d370015ccebcdaafce3f399156ffdf045ac8bedcc67bdffb1507be0b58

- 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 [4][5][6]

- f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5

- 41cb22109da26a6ff5464d6915db81c1c60f9e0808d8dbd63df1550b86372165

- 0a3706fd283a5c87340215ce05e0bdbc958d20d9ca415f6c08ec176f824fb3c0

- eccd88bfc2be71e0ee7926fa4bed4e72a2db864328f2351d301f67bfe19e26bc

* Files related to this attack

- %WINDIR%\dllhost[.]dat

* Anti-Virus definitions

[CrowdStrike Falcon (ML)] malicious_confidence_67% (D);

[Endgame] malicious (high confidence);

[Ikarus] Win32.Outbreak;

[Kaspersky] UDS:DangerousObject.Multi.Generic;

[ZoneAlarm by Check Point] UDS:DangerousObject.Multi.Generic;

[McAfee] Artemis!71B6A493388E;

[McAfee-GW-Edition] Artemis!Trojan;

[Panda] Trj/CryptoPetya.B;

[Qihoo-360] Trojan.Generic;

[Palo Alto Networks (Known Signatures)] generic.ml;

[Sophos] Mal/Generic-S;

[Tencent] Win32.Trojan.Agent.Ntrp;

[Webroot] W32.Ransomware.Gen;

* YARA Rule

------------YARA RULES

rule IOC_OCD_39B4A617722E3D0B60C27CE107BC4B06

{

author = "Laboratoire Epidemiologique Signal Intelligence Orange Cyberdefense"

ref_IOC = "39B4A617722E3D0B60C27CE107BC4B06"

date_IOC = "27/06/2017 - 16:15:22"

info = "Version 1.0 b"

internal = false

score = 99

risk_score = 10

Classification = 104

Severity = 5

threat = "OCD APT Native Mutagenesis Envelope"

comment = "IOC APT-Sensor"

strings:

$header = {4D 5A ?? ??}

$env1 = {50 45 00 00 4C 01 05 00 5C 28 46 59 00 00 00 00 00 00 00 00 E0 00 02 21 0B 01 0A 00 00 BE 00 00 00 AE 04 00 00 00 00 00 39 7D 00 00 00 10 00 00 00 D0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00}

$env2 = {6A 08 FF 15 C0 D1 00 10 50 FF 15 DC D1 00 10 5D C2 04 00 55 8B EC 83 7D 08 00 74 12 FF 75 08 6A 08 FF 15 C0 D1 00 10 50 FF 15 D4 D1 00 10 5D C2}

$env3 = {0A 25 FF FF 00 00 0D 00 00 07 80 89 45 F0 E9 AD 00 00 00 6A 0A 8D 45 C4 50 FF 75 AC E8 6A 93 00 00 8D 85 9C FE FF FF 83 C4 0C 8D 50 01 8A 08 40}

condition:

$header at 0 and ($env1 at 0xF0 and $env2 at 0x406 and $env3 at 0x553)

}

Impacts

*******

Vulnerables products

********************

No product list has been published. However, regarding previous attacks, we would assume that the following products could be targeted:

Windows XP

Windows Vista

Windows 7

Windows 8

Windows 8.1

Windows 8.1 RT

Windows Server 2003

Windows Server 2008

Windows Server 2008R2

Windows Server 2012

Windows Server 2012R2

Windows Server 2016

Windows Server Core

Windows Embedded Standard 2009

Windows Embedded POSReady 2009

There is no evidence that Windows 10 is targeted.

Solution

*********

There is no confirmed operating mode. We recommends you to perform the following actions:

- filter inbound connections on ports TCP 445 and 139 coming from untrusted networks

- completely disable SMBv1 support (deprecated) [4]

- new signatures files for antivirus products are available or will be available soon. It is necessary to update urgently the antivirus.

- detect/blacklist all incoming emails from wowsmth123456[@]posteo.net

- detect all upcoming emails to wowsmth123456[@]posteo.net

[1] https://twitter[.]com/craiu/status/879690795946827776

[2] https://blockchain[.]info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

Comments

Huge "PETYA" Cyber Attack

A new Ransomware attack has been detected and is in progress. Few information is available right now ; the investigation is still in progress.

This alert will be updated when further information will be available.

Description

***********

Several information report this ransomware as a variant of Petya and Misha (also known as GoldenEye). The actual main targets are in Ukraine and Russia. Only few sample have been recently detected in France.

There are verified facts:

- it uses EternalBlue as an attack vector (CVE-2017-0143 [3])

- spreading via SMB post-exploitation

Post-exploitation, the ransomware perform the following actions:

* downloads the main binary at hxxp://185[.]165[.]29[.]78/~alex/svchost[.]exe

* clears the windows event log using Wevtutil (wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:)

- writes a message to the raw disk partition

- reboot the system at noon as a logic bomb (schtasks %ws/Create /SC once /TN "" /TR "%ws" /ST %02d:%02d ; at %02d:%02d %ws)

- after restarting, a message appears announcing system encryption and asking a Bitcoin $USD 300 ransom

- the binary uses a fake Microsoft digital signature [1]

- the Bitcoin wallet used in this attack [2]

- wowsmth123456[@]posteo.net is the email address used in this attack

Facts that need to be confirmed:

- checking privileges

> if it can runs as admin, it will encrypt MBR

> if not, it will encrypt files

The ransomware attempts to encrypt files that corresponds to the following file extensions:

In order to help detection and identification of this ransomware, here is a non exhaustive list of indicators of compromise (IoC):

* SHA256 hashes

- 8143d7d370015ccebcdaafce3f399156ffdf045ac8bedcc67bdffb1507be0b58

- 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 [4][5][6]

- f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5

- 41cb22109da26a6ff5464d6915db81c1c60f9e0808d8dbd63df1550b86372165

- 0a3706fd283a5c87340215ce05e0bdbc958d20d9ca415f6c08ec176f824fb3c0

- eccd88bfc2be71e0ee7926fa4bed4e72a2db864328f2351d301f67bfe19e26bc

* Files related to this attack

- %WINDIR%\dllhost[.]dat

* Anti-Virus definitions

[CrowdStrike Falcon (ML)] malicious_confidence_67% (D);

[Endgame] malicious (high confidence);

[Ikarus] Win32.Outbreak;

[Kaspersky] UDS:DangerousObject.Multi.Generic;

[ZoneAlarm by Check Point] UDS:DangerousObject.Multi.Generic;

[McAfee] Artemis!71B6A493388E;

[McAfee-GW-Edition] Artemis!Trojan;

[Panda] Trj/CryptoPetya.B;

[Qihoo-360] Trojan.Generic;

[Palo Alto Networks (Known Signatures)] generic.ml;

[Sophos] Mal/Generic-S;

[Tencent] Win32.Trojan.Agent.Ntrp;

[Webroot] W32.Ransomware.Gen;

* YARA Rule

------------YARA RULES

rule IOC_OCD_39B4A617722E3D0B60C27CE107BC4B06

{

meta:

author = "Laboratoire Epidemiologique Signal Intelligence Orange Cyberdefense"

ref_IOC = "39B4A617722E3D0B60C27CE107BC4B06"

date_IOC = "27/06/2017 - 16:15:22"

info = "Version 1.0 b"

internal = false

score = 99

risk_score = 10

Classification = 104

Severity = 5

threat = "OCD APT Native Mutagenesis Envelope"

comment = "IOC APT-Sensor"

strings:

$header = {4D 5A ?? ??}

$env1 = {50 45 00 00 4C 01 05 00 5C 28 46 59 00 00 00 00 00 00 00 00 E0 00 02 21 0B 01 0A 00 00 BE 00 00 00 AE 04 00 00 00 00 00 39 7D 00 00 00 10 00 00 00 D0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00}

$env2 = {6A 08 FF 15 C0 D1 00 10 50 FF 15 DC D1 00 10 5D C2 04 00 55 8B EC 83 7D 08 00 74 12 FF 75 08 6A 08 FF 15 C0 D1 00 10 50 FF 15 D4 D1 00 10 5D C2}

$env3 = {0A 25 FF FF 00 00 0D 00 00 07 80 89 45 F0 E9 AD 00 00 00 6A 0A 8D 45 C4 50 FF 75 AC E8 6A 93 00 00 8D 85 9C FE FF FF 83 C4 0C 8D 50 01 8A 08 40}

condition:

$header at 0 and ($env1 at 0xF0 and $env2 at 0x406 and $env3 at 0x553)

}

Impacts

*******

Vulnerables products

********************

No product list has been published. However, regarding previous attacks, we would assume that the following products could be targeted:

Windows XP

Windows Vista

Windows 7

Windows 8