ESET has found new details about the possible origins of last week’s Petya-like ransomware outbreak.
Longitudinal research points to similarities between multiple campaigns by the TeleBots cybercriminal group in Ukraine, and aspects of their evolving toolset in attacks between December 2016 and March 2017, and the Diskcoder.C (aka Petya) outbreak that took place on 27 June 2017.
“The parallels to the December 2016 attack againstfinancial institutions, and the subsequent development of a Linux version of KillDisk malware used by TeleBots are strong clues,” says senior ESET malware researcher, Anton Cherepanov. “It was these indicators, alongside mounting attacks on computer systems in Ukraine, that warranted a deeper look at TeleBots.”
TeleBots’ modus operandi has consistently been the use of KillDisk to overwrite files with specific extensions to victims’ disks, according to ESET. Thus, collecting ransom was unlikely to be their primary goal, as target files were not so much as encrypted, but overwritten. While subsequent attacks did see the addition of encryption, contact information and other features of ransomware, the incidents still stood apart.
In 2017, between January and March, TeleBots attackers compromised a software company in Ukraine using VPN tunnels and gained access to the internal networks of several financial institutions, revealing an enhanced arsenal of Python coded tools.
During the final stages of that campaign, they pushed ransomware using stolen Windows credentials and SysInternals PsExec. ESET products detected this new ransomware as Win32/Filecoder.NKH. It was followed by Linux ransomware, detected as Python/Filecoder.R, predictably written in Python.
Next, TeleBots unleashed Win32/Filecoder.AESNI.C (referred to as XData) on18 May 2017. Spread mostly in Ukraine via an update of M.E.Doc a widely used financial software in Ukraine.
According to ESET LiveGrid, the malware was created right after software execution, allowing it lateral movement, automatically, inside a compromised company LAN. Despite ESET publishing a decryption tool for Win32/Filecoder.AESNI, the event didn’t gain much attention.
However, on 27 June, thePetya-like outbreak (Diskcoder.C) that has compromised so many systems in both critical infrastructure and other businesses in Ukraine and beyond, appeared and displayed the ability to replace Master Boot Record (MBR) with its own malicious code, code borrowed from Win32/Diskcoder.Petya ransomware.
Diskcoder.C’s authors have modified the MBR code so that recovery in not possible and while displaying payment instructions, as we now know, the information is useless.
Technically, there are many improvements, according to ESET. Critically, once the malware is executed it attempts to spread using infamous EternalBlue exploit, leveraging DoublePulsar kernel mode backdoor. Exactly same method used in WannaCry ransomware.
The malware is also capable of spreading the same way as Win32/Filecoder.AESNI.C (aka XData) ransomware, using a lightweight version of Mimikatz to obtain passwords, then executing the malware using SysInternals PsExec. In addition, attackers have implemented third method to spread using a WMI mechanism.
All three methods have been used to spread malware inside LANs. But, unlike WannaCry malware, in this case the EternalBlue exploit is used by Diskcoder.C malware only against computers within internal address space.
Tying TeleBots to this activity also means understanding why the infections took hold in other countries, seemingly breaking its strong focus on Ukraine.
ESET researchers have zeroed in on VPN connections between users of M.E.Doc, its customers, and their global business partners. Additionally, M.E.Doc has an internal messaging and document exchange system, so attackers could send spearphishing messages to victims.
Attackers also had access to the update server supplying legitimate software. Using access to this server, attackers pushed malicious updates applied automatically without user interaction.
“With such deep infiltration of M.E.Doc’s infrastructure and its clientele, the attackers had deep resources to spread Diskcoder.C,” says Cherepanov. “Despite some ‘collateral damage’, the attack demonstrated a deep understanding of the resources at their disposal. Furthermore, the additional capabilities of the EternalBlue exploit kit have added a unique dimension that the cybersecurity community will increasingly have to grapple with.”