ESET publishes new findings on the possible origin of mass cases of ransomware variants Petya.
According to results of a longitudinal survey, many of the campaigns conducted by the TeleBots group of cybercriminals in Ukraine, as well as some elements of their constantly changing tools, used in attacks between December 2016 and March 2017, are similar to the cases of Diskcoder C (also known as Petya) recorded on June 27 2017.
"The correspondence with the 2016 attack on financial institutions, and the subsequent development of a malicious KillDisk for Linux software used by the TeleBots team, are strong indications. These indications, coupled with the growing attacks on computer systems in Ukraine, deserve a closer look at the TeleBots team, "said Anton Cherepanov, Senior ESET Malware Researcher.
The way it works TeleBots team consistently relies on using KillDisk to overwrite files with specific extensions on victims' disks. There was no evidence for the victim to contact the man behind the attack, although one appeared picture από την τηλεοπτική σειρά Mr. Robot. Συνεπώς, ήταν απίθανο να αποσκοπεί σε ransom, as the files were not encrypted, but overwritten. While subsequent attacks added encryption, contact information, and other ransomware features, the incidents were still unrelated.
From January to March of 2017, the TeleBots team violated a software company in Ukraine using VPN tunnels and gained access to the networks of several financial institutions, revealing a reinforced arsenal of Python code tools. During the later stages of this campaign, ransomware was spread using stolen Windows credentials and PsExec tools from the SysInternals suite. ESET has detected this new ransomware as Win32 / Filecoder.NKH. Followed the ransomware for Linux, which was detected as Python / Filecoder.R, which, as one can easily predict, was written in Python code.
The TeleBots team then proceeded to spread Win32/Filecoder.AESNI.C (aka XData) on May 18, 2017. It was spread primarily in Ukraine through an update of MEDoc, an accounting software widely used in Ukraine. According to ESET LiveGrid®, the malware was created immediately after the implementation of the software, enabling automatic lateral movements within the compromised LAN. ESET had published decryption tool for Win32/Filecoder.AESNI.
However, on June 27, massive outbreaks of variants of the Petya malware (Diskcoder.C) - which has compromised many critical infrastructure and business systems in Ukraine and worldwide - appeared with the ability to replace the Master Boot Record (MBR) with their own malicious code, borrowed from Win32/Diskcoder.Petya ransomware.
The creators of Diskcoder.C have modified the MBR code so that recovery is not possible, and when the payment instructions appear, as we now know, the information είναι άχρηστες. Από τεχνική άποψη, υπάρχουν πολλές βελτιώσεις. Ουσιαστικά, μόλις εκτελεστεί το κακόβουλο λογισμικό, προσπαθεί να εξαπλωθεί χρησιμοποιώντας το περίφημο exploit EternalBlue, εκμεταλλευόμενο τη λειτουργία πυρήνα του backdoor DoublePulsar. Πρόκειται για την ίδια ακριβώς μέθοδο που χρησιμοποιείται στο ransomware WannaCry.
Malware can also be spread in the same way as Win32 / Filecoder.AESNI.C ransomware (otherwise XData), using a lighter version of Mimikatz to get passwords and then run malicious software using its PsExec tools SysInternals suite. In addition, attackers have used a third method to propagate using WMI.
All three methods have been used to spread malware within LANs. However, unlike WannaCry malware, in this case the exploit EternalBlue is used by Diskcoder.C only on computers inside the address space.
The association of the TeleBots team with this activity is also linked to the understanding of the occurrence of cases in other countries, apart from the usual attachment to Ukraine. We have come up with VPN connections between MEDoc users, their customers and their partners worldwide. In addition, MEDoc has an internal messaging and document exchange system, so attackers could send spearphishing messages to the victims. Cyber criminals also had access to the server that sent the original software updates, which they used to send malicious updates that were automatically executed without users having chosen it.
“Having penetrated so deeply into the infrastructure of M.E.Doc and its clientele, the attackers had significant resources at their disposal to spread Diskcoder.C. Despite having some "collateral casualties", the attack showed that they had a deep understanding of the resources at their disposal. In addition, the additional possibilities of the EternalBlue exploit have added a unique dimension that the cybersecurity community will increasingly encounter," said Senior ESET Malware Researcher Anton Cherepanov.
