CERT Advisory
Published in

CERT Advisory

What you should absolutely know about Petya and Misha Ransomware attack (GoldenEye Ransomware)…

Complex Ransomware…

Description:

Several information report this ransomware as a variant of Petya and Misha (also known as GoldenEye). The actual main targets are in Ukraine and Russia. Only few sample have been recently detected in France.

Affected countries:

UK, Ukraine, India, the Netherlands, Spain, Denmark, and others.

There are verified facts:

  • it uses EternalBlue as an attack vector (CVE-2017–0143 [3])
    - spreading via SMB post-exploitation

Behavior:
Encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.

Post-exploitation, the ransomware perform the following actions:

* downloads the main binary at hxxp://185[.]165[.]29[.]78/~alex/svchost[.]exe
* clears the windows event log using Wevtutil (wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:)
- writes a message to the raw disk partition
- reboot the system at noon as a logic bomb (schtasks %ws/Create /SC once /TN “” /TR “%ws” /ST %02d:%02d ; at %02d:%02d %ws)

- after restarting, a message appears announcing system encryption and asking a Bitcoin $USD 300 ransom
- the binary uses a fake Microsoft digital signature [1]
- the Bitcoin wallet used in this attack [2]
- wowsmth123456[@]posteo.net is the email address used in this attack

Facts that need to be confirmed:
- checking privileges
> if it can runs as admin, it will encrypt MBR
> if not, it will encrypt files

The ransomware attempts to encrypt files that corresponds to the following file extensions:

[.]3ds,[.]7z,[.]accdb,[.]ai,[.]asp,[.]aspx,[.]avhd,[.]back,[.]bak,[.]c,[.]cfg,[.]conf,[.]cpp,[.]cs,[.]ctl,[.]dbf,[.]disk,[.]djvu,[.]doc,[.]docx,[.]dwg,[.]eml,[.]fdb,[.]gz,[.]h,[.]hdd,[.]kdbx,[.]mail,[.]mdb,[.]msg,[.]nrg,[.]ora,[.]ost,[.]ova,[.]ovf,[.]pdf,[.]php,[.]pmf,[.]ppt,[.]pptx,[.]pst,[.]pvi,[.]py,[.]pyc,[.]rar,[.]rtf,[.]sln,[.]sql,[.]tar,[.]vbox,[.]vbs,[.]vcb,[.]vdi,[.]vfd,[.]vmc,[.]vmdk,[.]vmsd,[.]vmx,[.]vsdx,[.]vsv,[.]work,[.]xls,[.]xlsx,[.]xvd,[.]zip,[.]

In order to help detection and identification of this ransomware, here is a non exhaustive list of indicators of compromise (IoC):

* SHA256 hashes
- 8143d7d370015ccebcdaafce3f399156ffdf045ac8bedcc67bdffb1507be0b58
- 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 [4][5][6]
- f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5
- 41cb22109da26a6ff5464d6915db81c1c60f9e0808d8dbd63df1550b86372165
- 0a3706fd283a5c87340215ce05e0bdbc958d20d9ca415f6c08ec176f824fb3c0
- eccd88bfc2be71e0ee7926fa4bed4e72a2db864328f2351d301f67bfe19e26bc

* Files related to this attack
- %WINDIR%\dllhost[.]dat

* Anti-Virus definitions
[CrowdStrike Falcon (ML)] malicious_confidence_67% (D);
[Endgame] malicious (high confidence);
[Ikarus] Win32.Outbreak;
[Kaspersky] UDS:DangerousObject.Multi.Generic;
[ZoneAlarm by Check Point] UDS:DangerousObject.Multi.Generic;
[McAfee] Artemis!71B6A493388E;
[McAfee-GW-Edition] Artemis!Trojan;
[Panda] Trj/CryptoPetya.B;
[Qihoo-360] Trojan.Generic;
[Palo Alto Networks (Known Signatures)] generic.ml;
[Sophos] Mal/Generic-S;
[Tencent] Win32.Trojan.Agent.Ntrp;
[Webroot] W32.Ransomware.Gen;

* YARA Rule
— — — — — — YARA RULES
rule IOC_OCD_39B4A617722E3D0B60C27CE107BC4B06
{
meta:
author = “Laboratoire Epidemiologique Signal Intelligence Orange Cyberdefense”
ref_IOC = “39B4A617722E3D0B60C27CE107BC4B06”
date_IOC = “27/06/2017–16:15:22”
info = “Version 1.0 b”
internal = false
score = 99
risk_score = 10
Classification = 104
Severity = 5
threat = “OCD APT Native Mutagenesis Envelope”
comment = “IOC APT-Sensor”

strings:
$header = {4D 5A ?? ??}
$env1 = {50 45 00 00 4C 01 05 00 5C 28 46 59 00 00 00 00 00 00 00 00 E0 00 02 21 0B 01 0A 00 00 BE 00 00 00 AE 04 00 00 00 00 00 39 7D 00 00 00 10 00 00 00 D0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00}
$env2 = {6A 08 FF 15 C0 D1 00 10 50 FF 15 DC D1 00 10 5D C2 04 00 55 8B EC 83 7D 08 00 74 12 FF 75 08 6A 08 FF 15 C0 D1 00 10 50 FF 15 D4 D1 00 10 5D C2}
$env3 = {0A 25 FF FF 00 00 0D 00 00 07 80 89 45 F0 E9 AD 00 00 00 6A 0A 8D 45 C4 50 FF 75 AC E8 6A 93 00 00 8D 85 9C FE FF FF 83 C4 0C 8D 50 01 8A 08 40}

condition:
$header at 0 and ($env1 at 0xF0 and $env2 at 0x406 and $env3 at 0x553)
}

Impacts
*******

Vulnerable products:

No product list has been published. However, regarding previous attacks, we would assume that the following products could be targeted:
Windows XP
Windows Vista
Windows 7
Windows 8
Windows 8.1
Windows 8.1 RT
Windows Server 2003
Windows Server 2008
Windows Server 2008R2
Windows Server 2012
Windows Server 2012R2
Windows Server 2016
Windows Server Core
Windows Embedded Standard 2009
Windows Embedded POSReady 2009
There is no evidence that Windows 10 is targeted.

Solution:

There is no confirmed operating mode. We recommends you to perform the following actions:
- filter inbound connections on ports TCP 445 and 139 coming from untrusted networks
- completely disable SMBv1 support (deprecated) [4]
- new signatures files for antivirus products are available or will be available soon. It is necessary to update urgently the antivirus.

- detect/blacklist all incoming emails from wowsmth123456[@]posteo.net
- detect all upcoming emails to wowsmth123456[@]posteo.net

[1] https://twitter[.]com/craiu/status/879690795946827776
[2] https://blockchain[.]info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
[29/06, 9:36 AM] ‪+91 98416 64760‬: Petya/Petwrap ransomware

Actions to be taken:
1. Block source E-mail address
wowsmith123456@posteo.net

2. Block domains:
http://mischapuk6hyrn72.onion/
http://petya3jxfp2f7g3i.onion/
http://petya3sen7dyko2n.onion/
http://mischa5xyix2mrhd.onion/MZ2MMJ
http://mischapuk6hyrn72.onion/MZ2MMJ
http://petya3jxfp2f7g3i.onion/MZ2MMJ
http://petya3sen7dyko2n.onion/MZ2MMJ
http://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin
COFFEINOFFICE.XYZ
http://french-cooking.com/

3. Block IPs:
95.141.115.108
185.165.29.78
84.200.16.242
111.90.139.247

4. Apply patches:
Refer(in Russian): https://habrahabr.ru/post/331762/

5. Disable SMBv1

6. Update Anti-Virus hashes
a809a63bc5e31670ff117d838522dec433f74bee
bec678164cedea578a7aff4589018fa41551c27f
d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
aba7aa41057c8a6b184ba5776c20f7e8fc97c657
0ff07caedad54c9b65e5873ac2d81b3126754aac
51eafbb626103765d3aedfd098b94d0e77de1196
078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
7ca37b86f4acc702f108449c391dd2485b5ca18c
2bc182f04b935c7e358ed9c9e6df09ae6af47168
1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
82920a2ad0138a2a8efc744ae5849c6dde6b435d

myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD

* Anti-Virus definitions
[CrowdStrike Falcon (ML)] malicious_confidence_67% (D);
[Endgame] malicious (high confidence);
[Ikarus] Win32.Outbreak;
[Kaspersky] UDS:DangerousObject.Multi.Generic;
[ZoneAlarm by Check Point] UDS:DangerousObject.Multi.Generic;
[McAfee] Artemis!71B6A493388E;
[McAfee-GW-Edition] Artemis!Trojan;
[Panda] Trj/CryptoPetya.B;
[Qihoo-360] Trojan.Generic;
[Palo Alto Networks (Known Signatures)] generic.ml;
[Sophos] Mal/Generic-S;
[Tencent] Win32.Trojan.Agent.Ntrp;
[Webroot] W32.Ransomware.Gen;

* YARA Rule
— — — — — — YARA RULES
rule IOC_OCD_39B4A617722E3D0B60C27CE107BC4B06
{
meta:
author = “Laboratoire Epidemiologique Signal Intelligence Orange Cyberdefense”
ref_IOC = “39B4A617722E3D0B60C27CE107BC4B06”
date_IOC = “27/06/2017–16:15:22”
info = “Version 1.0 b”
internal = false
score = 99
risk_score = 10
Classification = 104
Severity = 5
threat = “OCD APT Native Mutagenesis Envelope”
comment = “IOC APT-Sensor”

strings:
$header = {4D 5A ?? ??}
$env1 = {50 45 00 00 4C 01 05 00 5C 28 46 59 00 00 00 00 00 00 00 00 E0 00 02 21 0B 01 0A 00 00 BE 00 00 00 AE 04 00 00 00 00 00 39 7D 00 00 00 10 00 00 00 D0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00}
$env2 = {6A 08 FF 15 C0 D1 00 10 50 FF 15 DC D1 00 10 5D C2 04 00 55 8B EC 83 7D 08 00 74 12 FF 75 08 6A 08 FF 15 C0 D1 00 10 50 FF 15 D4 D1 00 10 5D C2}
$env3 = {0A 25 FF FF 00 00 0D 00 00 07 80 89 45 F0 E9 AD 00 00 00 6A 0A 8D 45 C4 50 FF 75 AC E8 6A 93 00 00 8D 85 9C FE FF FF 83 C4 0C 8D 50 01 8A 08 40}

condition:
$header at 0 and ($env1 at 0xF0 and $env2 at 0x406 and $env3 at 0x553)
}

Impacts
*******

Vulnerable products:

No product list has been published. However, regarding previous attacks, we would assume that the following products could be targeted:
Windows XP
Windows Vista
Windows 7
Windows 8
Windows 8.1
Windows 8.1 RT
Windows Server 2003
Windows Server 2008
Windows Server 2008R2
Windows Server 2012
Windows Server 2012R2
Windows Server 2016
Windows Server Core
Windows Embedded Standard 2009
Windows Embedded POSReady 2009
There is no evidence that Windows 10 is targeted.

Solution:

There is no confirmed operating mode. We recommends you to perform the following actions:
- filter inbound connections on ports TCP 445 and 139 coming from untrusted networks
- completely disable SMBv1 support (deprecated) [4]
- new signatures files for antivirus products are available or will be available soon. It is necessary to update urgently the antivirus.

- detect/blacklist all incoming emails from wowsmth123456[@]posteo.net
- detect all upcoming emails to wowsmth123456[@]posteo.net

[1] https://twitter[.]com/craiu/status/879690795946827776
[2] https://blockchain[.]info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
[29/06, 9:36 AM] ‪+91 98416 64760‬: Petya/Petwrap ransomware

Actions to be taken:
1. Block source E-mail address
wowsmith123456@posteo.net

2. Block domains:
http://mischapuk6hyrn72.onion/
http://petya3jxfp2f7g3i.onion/
http://petya3sen7dyko2n.onion/
http://mischa5xyix2mrhd.onion/MZ2MMJ
http://mischapuk6hyrn72.onion/MZ2MMJ
http://petya3jxfp2f7g3i.onion/MZ2MMJ
http://petya3sen7dyko2n.onion/MZ2MMJ
http://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin
COFFEINOFFICE.XYZ
http://french-cooking.com/

3. Block IPs:
95.141.115.108
185.165.29.78
84.200.16.242
111.90.139.247

4. Apply patches:
Refer(in Russian): https://habrahabr.ru/post/331762/

5. Disable SMBv1

6. Update Anti-Virus hashes
a809a63bc5e31670ff117d838522dec433f74bee
bec678164cedea578a7aff4589018fa41551c27f
d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
aba7aa41057c8a6b184ba5776c20f7e8fc97c657
0ff07caedad54c9b65e5873ac2d81b3126754aac
51eafbb626103765d3aedfd098b94d0e77de1196
078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
7ca37b86f4acc702f108449c391dd2485b5ca18c
2bc182f04b935c7e358ed9c9e6df09ae6af47168
1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
82920a2ad0138a2a8efc744ae5849c6dde6b435d

myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store