There is nothing remotely new in Petyawrap. I think any decent developer and IT admin could have teamed up and put together something like Petyawrap in a week or two. It used existing vulnerabilities, exploits and tools to pull off what’s looking to be a slow, but very long campaign. Why are we calling it Petyawrap? Mainly because it is significantly different from the malware originally coined Petya, and shouldn’t be confused with it. It’s also being called GoldenEye, Petrwrap, Misha (also related) and the phonetic variations Pnyetya and Nyetya (used by Talos).
Unlike the average enterprise PC, Petyawrap has been designed to be resilient and persistent in the pursuit of its goals. Really, the only part where the designers of Petyawrap messed up is the part where they get paid. This is the kind of malware we consultants or admins could continue running into a year or two from now.
Unless we wake up and start making some common sense changes to systems to disrupt malware. The truth is, malware is fragile and is blind to how we set up our systems and networks. The bad guys are guessing we’ll have 99% of the defaults in place. Unfortunately, they’re right a lot of the time. I’ve counted at least a dozen things we could do to rob Petyawrap of success without disrupting users, applications or workflows.
So far, I’m seeing the usual vitriol and shaming in social media. “These people, still running XP! Why don’t they just patch? Why don’t they get rid of XP/7?”
Petyawrap has been confirmed to work on Windows XP. It runs on Windows 10. It will exploit missing patches. It can also infect fully patched systems. Forget about relying on a particular version of Windows or patch level to protect you from this malware.
InfoSec Community: “If they just patched, this wouldn’t be an issue!”
Ukrainian IT Admins: “The malware literally came in as a patch.”
Two infection vectors have been reported. In the first, Petyawrap was delivered by hijacking the update mechanism within a popular commercial software application. The software application, MeDoc is accounting software and appears to be broadly used within the Ukrainian government, much of which had to disconnect from the Internet for cleanup Tuesday (6/27).
Delivering malware via a software updater is a bit of a holy grail, as it gives the bad guys a trusted delivery system designed to push out new software as fast as possible. So you patched? Good for you, but Petyawrap don’t care. It will infect you through a trusted software vendor.
The other infection vector is said to be email phishing. In this scenario, it used CVE-2017–0199 to execute Powershell via fake office documents. The Powershell downloads and executes the binary malware (the payload).
The ransomware piece attempts to replace the master boot record (MBR). Bad news: you can’t boot without it. Good news: it’s a lot easier to fix than trying to recover encrypted files. That means you don’t get ransomed until the computer restarts. Conveniently, the malware authors thought about that, and create a scheduled job to reboot the system one hour from the initial infection. Killing the scheduled job, or powering off the system will buy a defender some time.
The payload does a good job of disrupting businesses it infects. It does a terrible job of making its authors any money. A single email address and bitcoin wallet were set up to extort victims. Currently, that wallet has a little more than $9000 in it, and will likely never be cashed out by the attackers. Did they ever intend to? I doubt it. Petyawrap don’t care… about getting paid?
Petyawrap has no less than three ways to spread itself to other systems. This is probably the most dangerous part of this thing, and is where you should really pay attention.
The most familiar vector is the same used by Wannacry. Petyawrap will go after that same SMBv1 vulnerability (CVE-2017–0144). However, instead of using ETERNALBLUE copypasta, the authors take the time to rewrite the exploit. To get a list of targets, it will run an ARP scan on the local subnet.
Let’s say you’ve patched, however. Patches were released for both vulnerabilities used by this malware months ago. Petyawrap don’t care — it will just steal your passwords and use admin-approved tools to take over your systems.
Petyawrap will also enumerate all systems in attached domains to use as a list of systems to exploit (the equivalent of net view /domain:companyname for my fellow ‘old folks’ out there), which in most cases, should return a whole lot more systems than an ARP scan. The malware will then attempt to use WMIC (Windows Management Instrumentation Command-line) or the Microsoft SysInternals tool psexec to spread itself to other systems.
Hold on — it needs to authenticate to use WMIC or psexec, right? To acquire credentials, Petyawrap runs LSADump and attempts to use local administrator credentials to infect all adjacent systems. It appears to attempt to do this through the Admin$ share.
Petyawrap started out specifically targeting Ukrainians. As with most breaking stories, a *lot* of misinformation is spread very quickly.
Q: How does it spread?
A: Initial reports pointed to phishing, but the real story is that this story used the update mechanism in a commercial accounting software called MeDoc — one of two accounting packages approved for tax use in the Ukraine.
Q: How much is the ransom?
A: Doesn’t matter, paying it nets you nothing. The email account the attackers were using ([email protected]) was quickly disabled.
Q: Is there a kill switch like Wannacry?
A: No there isn’t, and won’t be. There are ways to mitigate the malware through its behavior, but no single kill switch that neuters all copies of the malware in real time.
In most cases, any one of these mitigations or recommendations will stop most malware before they can even get started (including Petyawrap).
Monitor for the following ‘red flags’