S0606 Bad Rabbit
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. 123
| Item | Value |
|---|---|
| ID | S0606 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 09 February 2021 |
| Last Modified | 17 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Bad Rabbit has attempted to bypass UAC and gain elevated administrative privileges.1 |
| enterprise | T1110 | Brute Force | - |
| enterprise | T1110.003 | Password Spraying | Bad Rabbit’s infpub.dat file uses NTLM login credentials to brute force Windows machines.1 |
| enterprise | T1486 | Data Encrypted for Impact | Bad Rabbit has encrypted files and disks using AES-128-CBC and RSA-2048.1 |
| enterprise | T1189 | Drive-by Compromise | Bad Rabbit spread through watering holes on popular sites by injecting JavaScript into the HTML body or a .js file.21 |
| enterprise | T1210 | Exploitation of Remote Services | Bad Rabbit used the EternalRomance SMB exploit to spread through victim networks.1 |
| enterprise | T1495 | Firmware Corruption | Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Bad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.21 |
| enterprise | T1106 | Native API | Bad Rabbit has used various Windows API calls.2 |
| enterprise | T1135 | Network Share Discovery | Bad Rabbit enumerates open SMB shares on internal victim networks.2 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Bad Rabbit has used Mimikatz to harvest credentials from the victim’s machine.2 |
| enterprise | T1057 | Process Discovery | Bad Rabbit can enumerate all running processes to compare hashes.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Bad Rabbit’s infpub.dat file creates a scheduled task to launch a malicious executable.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | Bad Rabbit has used rundll32 to launch a malicious DLL as C:Windowsinfpub.dat.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Bad Rabbit drops a file named infpub.datinto the Windows directory and is executed through SCManager and rundll.exe. |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Bad Rabbit has been executed through user installation of an executable disguised as a flash installer.21 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team | 4 |
References
-
Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩
-
M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021. ↩↩↩↩↩↩↩
-
Slowik, J.. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved January 28, 2021. ↩
-
Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. ↩