S0606 Bad Rabbit
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. 213
| Item | Value |
|---|---|
| ID | S0606 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 09 February 2021 |
| Last Modified | 12 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Bad Rabbit has attempted to bypass UAC and gain elevated administrative privileges.2 |
| enterprise | T1110 | Brute Force | - |
| enterprise | T1110.003 | Password Spraying | Bad Rabbit’s infpub.dat file uses NTLM login credentials to brute force Windows machines.2 |
| enterprise | T1486 | Data Encrypted for Impact | Bad Rabbit has encrypted files and disks using AES-128-CBC and RSA-2048.2 |
| enterprise | T1189 | Drive-by Compromise | Bad Rabbit spread through watering holes on popular sites by injecting JavaScript into the HTML body or a .js file.12 |
| enterprise | T1210 | Exploitation of Remote Services | Bad Rabbit used the EternalRomance SMB exploit to spread through victim networks.2 |
| enterprise | T1495 | Firmware Corruption | Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Bad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.12 |
| enterprise | T1106 | Native API | Bad Rabbit has used various Windows API calls.1 |
| enterprise | T1135 | Network Share Discovery | Bad Rabbit enumerates open SMB shares on internal victim networks.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Bad Rabbit has used Mimikatz to harvest credentials from the victim’s machine.1 |
| enterprise | T1057 | Process Discovery | Bad Rabbit can enumerate all running processes to compare hashes.2 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Bad Rabbit’s infpub.dat file creates a scheduled task to launch a malicious executable.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | Bad Rabbit has used rundll32 to launch a malicious DLL as C:Windowsinfpub.dat.2 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Bad Rabbit drops a file named infpub.datinto the Windows directory and is executed through SCManager and rundll.exe. |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Bad Rabbit has been executed through user installation of an executable disguised as a flash installer.12 |
| ics | T0817 | Drive-by Compromise | Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. 5 |
| ics | T0866 | Exploitation of Remote Services | Bad Rabbit initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. 4 |
| ics | T0867 | Lateral Tool Transfer | Bad Rabbit can move laterally through industrial networks by means of the SMB service. 4 |
| ics | T0828 | Loss of Productivity and Revenue | Several transportation organizations in Ukraine have suffered from being infected by Bad Rabbit, resulting in some computers becoming encrypted, according to media reports. 6 |
| ics | T0863 | User Execution | Bad Rabbit is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. 5 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team | 7 |
References
-
M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021. ↩↩↩↩↩↩↩
-
Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Slowik, J.. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved January 28, 2021. ↩
-
Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ↩↩
-
Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ↩↩
-
Marc-Etienne M.Lveill 2017, October 24 Bad Rabbit: NotPetya is back with improved ransomware Retrieved. 2019/10/27 ↩
-
Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. ↩