Petya and Mischa - the Ransomware Twins (sort of)
Dr. Peter Stephenson
These two malwares have been much in the news over the past week or so. The Kaspersky blog for May 18 has a bit to say about them and Bleeping Computer has a pretty good workup on May 12, so it seems appropriate that we should take a closer look.
We'll start with Petya. MalwareBytes blog has a good analysis.
Petya may be delivered in spam as an attached file, often a PDF with presumed job applications. Alternatively, the spam has a redirect link to a Dropbox account that contains the job applicant's "resume". The thing about Petya is that it makes the entire disk useless unless you recover it. You even need to go to another computer to get your instructions and upload your ransom. It works in two stages: encrypt the MBR and then the rest of the disk. If just the MBR is encrypted you're potentially out of the woods. Just mount the disk and fix the MBR and you should be OK... by "fix" I mean "replace".
In the first stage Petya drops a malicious file that starts things rolling. After a reboot stage 2 kicks in and then it's all she wrote.... you have a serious problem on your hands. An important point is that Petya needs to execute as root/admin... make sure that your users do not have superuser rights and you can go a long way towards protecting yourself at this stage.
The main executable is a PE32 Windows executable with a file length of 230,912 bytes. The sample we analyzed - using https://malwr.com - was the same one that MalwareBytes looked at with MD5 hash af2379cc4d607a45ac44d62135fb7015. Malwr.com uses a Cuckoo sandbox for analysis and I highly recommend that you go out to the site and sign up - it's free - and take advantage of its excellent resources.
We also consulted the AlienVault OTX for more information. There we found two additional samples with MD5 hashes f636b3471c9fda3686735223dbb0b2bd and a2d6887d8a7b09b86a917a5c61674ab4. Doing a static analysis of these three samples we find that a string of GoogleCrashHandler_unsigned.pdb is present in two (the one ending in b4 and the one ending in 15) while the sample ending in bd has a string Uninstaller.pdb. This, plus the registry keys below, forms a pretty good analysis of the sample as Petya,
The executable does not attempt to contact any other site - I wouldn't expect it to given its purpose - and it writes some registry keys:
- HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\SOFTWARE\Microsoft\Cryptography\Providers\Type 001
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
One important point: the entire disk is not encrypted. Many important files are and the MBR is, but you still can do a forensic analysis of the disk.
The malware uses C:\WINDOWS\system32\rsaenh.dll - the Microsoft Enhanced Cryptographic Provider Library. A basic description that dates to 2008 (Windows XP) is available from NIST at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp989.pdf. This is the library that supports Petya's AES encryption. A more current description is at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1894.pdf.
If you're up for a nice deep dive into Petya, I suggest the MalwareBytes blog posting. Nice reversing work by Hasherezade.
So, with all of this in mind, some forensic analysis can help you pinpoint when the drive was infected (by looking at the Created and Modified metadata for the Registry keys and the same for the strings which are files for which you can search. Once you know the exact infection time you can cross-check with monitoring tools such as WebSense or whatever else you happen to use. The OTX link for Petya IOCs is https://otx.alienvault.com/pulse/56f5484a67db8c7e7162d00f/.
Now, on to Mischa.
The latest on Mischa - a fairly new ransomware - is that it often is delivered with Petya. The reason is that Petya needs superuser rights or it cannot encrypt the MBR. If it cannot do that, it's dead in the water. Enter Mischa to save (ruin, depending upon your perspective) the day! Mischa really is straightforward ransomware.
We submitted ND5 hash b47c5585e705fd7ee500ffd27c506939 to malwr.com and downloaded the binary. Then we submitted the binary to VirusTotal. The executable in the sample we looked at had multiple names including AutoHotKey, PDF-Mappe and PDFMappe plus a few variations on these. It is a PE32 executable for Windows. Our sample had a time stamp of 2016:03:27 02:16:25+01:00. AlienVault OTX has a pretty good list of IOCs but the mostly are file hashes. Because this is a fairly new ransomware there really is not a lot of detail on its internals yet. The best so far is at malwr.com.
We'll watch this one carefully. I'm waiting for someone to do a good analysis of it. Failing that I'll dig a bit deeper into the bug.
Before we get to the new malicious domain list, I will be conducting a full day threat hunting workshop at the New York State Cyber Security Conference and Symposium on June 7. It's in Albany, NY so if you're in the neighborhood and are interested, sign up. The web site is https://www.its.ny.gov/eiso/19th-annual-cyber-security-conference.
Now the malicious domains for this time.
Figure 1 - New Malicious Domains From the Malware Domain List
So… until next time….
If you use Flipboard, you can find my pages at http://tinyurl.com/FlipThreats. Here I flip the interesting threat-related stories of the day – focused on the technical, all interesting stories and definitely on target.