Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Case Study 2017: Petya/NotPetya – the analysis of the mysterious malware which has attacked Ukraine

hasherezade
September 14, 2017

Security Case Study 2017: Petya/NotPetya – the analysis of the mysterious malware which has attacked Ukraine

hasherezade

September 14, 2017
Tweet

More Decks by hasherezade

Other Decks in Research

Transcript

  1. Petya/NotPetya – the
    analysis of the mysterious
    malware which has attacked
    Ukraine
    Hasherezade (@hasherezade)

    View full-size slide

  2. Agenda
    •The outbreak
    •Behavioral analysis
    •Is it Petya?
    •Is it ransomware?
    •The propagation mechanism
    •The conditional features
    •Conclusions

    View full-size slide

  3. Overview - how it
    all started

    View full-size slide

  4. The outbreak
    27th June...

    View full-size slide

  5. The outbreak
    • 27th June in Ukraine, affecting also neighboring
    countries, i.e. Poland
    • Source of the infection: M.E.Doc – tax accounting
    software company in Ukraine
    • Initial vector: a malicious update
    • As it turned out, the attackers resided on the
    M.E.Doc servers months before the outbreak

    View full-size slide

  6. A malware with various names
    • The authors didn’t name the malware at first.
    • Among the researchers it was refered as:
    Petya, Petya.A, NotPetya, ExPetr, Nyetya, EternalPetya,
    Petna, GoldenEye, PetrWrap...
    • In the later annoucements, attackers refered to it
    as Petya.A/NotPetya
    https://www.youtube.com/watch?v=Vor9sWpJQHw

    View full-size slide

  7. Behavioral analysis

    View full-size slide

  8. Behavior of the malware: High level attack
    1. Encrypts files with selected extensions (using AES +
    RSA)
    https://www.youtube.com/watch?v=Vor9sWpJQHw
    3ds 7z accdb ai asp aspx avhd back bak c cfg conf cpp cs ctl dbf disk djvu doc docx
    dwg eml fdb gz h hdd kdbx mail mdb msg nrg ora ost ova ovf pdf php pmf ppt pptx pst
    pvi py pyc rar rtf sln s ql tar vbox vbs vcb vdi vfd vmc vmdk vmsd vmx vsdx vsv work
    xls xlsx xvd zip

    View full-size slide

  9. Behavior of the malware: High level attack
    2. Drops a ransom note:
    https://www.youtube.com/watch?v=Vor9sWpJQHw

    View full-size slide

  10. Behavior of the malware: High level attack
    3. Reboot is scheduled:
    https://www.youtube.com/watch?v=Vor9sWpJQHw

    View full-size slide

  11. Behavior of the malware: High level attack
    4. We can see the malware scanning our LAN, in
    order to spread to other machines...
    5. Master Boot Record is overwritten with the
    malicious bootloader and the kernel, that is meant
    to deploy the low level attack after the reboot
    https://www.youtube.com/watch?v=Vor9sWpJQHw

    View full-size slide

  12. Behavior of the malware: Low level attack
    1. When the machine boots again, the malicious
    kernel is loaded...
    https://www.youtube.com/watch?v=Vor9sWpJQHw
    This CHKDKS is
    fake! In reality the
    malware encrypts
    MFT using Salsa20
    algorithm

    View full-size slide

  13. Behavior of the malware: Low level attack
    2. After encrypting the MFT, the ransom demand is
    shown on the screen:
    https://www.youtube.com/watch?v=Vor9sWpJQHw
    The low level
    attack looks exactly
    like Petya, but the
    skull and the
    malware name are
    missing...

    View full-size slide

  14. Behavior summary
    1. High level attack: encrypts files with selected
    extensions
    2. Low level attack: encrypts Master File Table,
    making disk inaccassible
    3. Spreads itself on other machines in the LAN (using
    i.e. NSA’s „Eternal” exploits)
    https://www.youtube.com/watch?v=Vor9sWpJQHw

    View full-size slide

  15. A new Petya/Goldeneye?
    Last year’s edition of Petya:

    View full-size slide

  16. Almost all ransomware encrypts files
    one by one – Petya can do it as well
    But Petya has a unique feature: it attacks a
    bootloader, and then encrypts low-level
    structures on the disk (Master File Table) –
    making disk unreadable
    Do you remember last year’s Petya?
    https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-
    demystifying-the-malware-family/

    View full-size slide

  17. • Petya comes in 3 flavors:
    Red, Green and golden
    (Goldeneye)
    • Each version introduced
    improvements
    • Latest versions were not
    decryptable
    Do you remember last year’s Petya?
    https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-
    demystifying-the-malware-family/

    View full-size slide

  18. Do you remember last year’s Petya?
    •Dropper (Windows EXE),
    • overwrites the disk’s beginning with
    Petya kernel
    • Encrypts files with selected
    extensions, one by one
    •Petya kernel
    • perform the disk encryption (MFT)
    https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-
    demystifying-the-malware-family/

    View full-size slide

  19. Behavior summary
    1. High level attack: encrypts files with selected
    extensions
    2. Low level attack: encrypts Master File Table,
    making disk inaccassible
    3. Spreads itself on other machines in the LAN (using
    i.e. NSA’s „Eternal” exploits)
    https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-
    demystifying-the-malware-family/

    View full-size slide

  20. Let’s have a
    look inside...

    View full-size slide

  21. The components involved
    • 71b6a493388e7d0b40c83ce903bc6b04 – the main DLL
    installed as: C:\Windows\perfc.dat
    Run by: rundll32.exe ,#1
    • aeee996fd3484f28e5cd85fe26b6bdcd – a legitimate app incorporated by the
    malware: PsExec
    • Mimikatz-like components for stealing credentials (they are used for further
    spreading the malware in the LAN)
    • 2813d34f6197eb4df42c886ec7f234a1 – 32 bit version
    • 7e37ab34ecdcc3e77e24522ddfd4852d – 64 bit version
    • f3471d609077479891218b0f93a77ceb – the low level part (Petya MBR + kernel)

    View full-size slide

  22. Petya or not? Comparing the code...
    •The kernel of the new malware compared with the one from the latest Petya
    (Goldeneye)
    Differences exists, but
    they are minor. The
    code base is the same
    as Goldeneye Petya
    Conclusion: it is a Petya

    View full-size slide

  23. Petya or not? Comparing the code...
    •Let’s take a closer look at the differences...
    Conclusion: it is a Petya, but not a legitimate strain – not recompiled from the original source. The Petya kernel
    was pirated and stolen from the original author.
    Missing
    optimizations. This
    assembly code can
    never be
    generated if the
    code was
    recompiled.
    https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-
    piece-package/

    View full-size slide

  24. Ransomware or not?
    •Yes, because it demaned a ransom and successfuly collected money
    •Not really, because paying the ransom cannot help a victim
    The victim ID is a
    random string,
    generated BEFORE the
    encryption key is made
    Conclusion: the attackers deliberately
    decided not to preserve the key
    https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/

    View full-size slide

  25. Ransomware or not?
    Conclusion: the attackers deliberately decided not to preserve the key.
    But why?
    • Unfinished work with a dummy text left?
    • Proof of the destructive intentions?
    https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/

    View full-size slide

  26. Ransomware or not? – Unfinished work?
    • Sometimes it happens, i.e. Satana ransomware, that was deployed in wild on a
    small scale, was also unfinished...
    https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/
    It reads user input, but
    never process it.
    Original MBR cannot
    be recovered.

    View full-size slide

  27. Ransomware or not? – Unfinished work?
    • The authors of Petya.A/NotPetya tried to reimplement some features of the
    original Petya by their own, i.e. preserving the original MBR obfuscated by XOR
    with 0x7
    Conclusion: redundant efforts in case of
    destructive intentions
    The original
    MBR is
    preserved in
    the sector 34
    Accurate imitation of
    the original Petya’s
    behavior

    View full-size slide

  28. Ransomware or not? – Destructive intentions ?
    • Disruption attacks on Ukraine already happened in the past, so it may be their
    continuation...
    • However: if the ransomware is just a cover, why the authors didn’t finish the
    cover? The fact of not preserving the key could be easily obfuscated, i.e.
    pretending that it is sent to a dead CnC server...
    https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack

    View full-size slide

  29. What is new?
    1. High level attack: encrypts files with selected
    extensions
    2. Low level attack: encrypts Master File Table,
    making disk inaccassible
    3. Spreads itself on other machines in the LAN (using
    i.e. NSA’s „Eternal” exploits)

    View full-size slide

  30. The infector
    •Two ways of spreading:
    1. Using exploits leaked from the NSA:
    ETERNALBLUE, ETERNALROMANCE +
    DOUBLEPULSAR injector with minor
    modifications
    2. Using conventional tools: PsExec, Wmic
    Conclusion: the infector is written by
    professionals
    Similarly to WannaCry
    ransomware, that used
    ETERNALBLUE
    https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
    https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/

    View full-size slide

  31. The infector: finding network targets
    •Targets are collected on a global list
    •Multiple sources:
    1. command line argument (-h )
    2. Scanning ports 139 and 445 in LAN
    3. DHCP servers and clients (DhcpEnumServerClients)
    4. Cached ARP entries (GetIpNetTable)
    5. Active TCP connections (GetExtendedTcpTable)
    6. ActiveDirectory domain (NetServerEnum)
    https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
    https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/
    Conclusion: very scrupulous in finding
    network targets

    View full-size slide

  32. The infector: dumping credentials
    •The malware comes with a mimikatz-based tool for dumping credentials
    https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
    https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/
    used for
    lateral
    movements
    credentials are
    sent to the
    malware over a
    pipe...

    View full-size slide

  33. Conditional paths

    View full-size slide

  34. Conditional paths
    The malware has several paths of
    execution. The flags are set
    depending on:
    • options1: based on privileges
    • options2: Installed AV products:
    avp.exe (Kaspersky), ccSvcHst.exe
    (Symantec), NS.exe (Norton
    Security) Conclusion: the behavior of the malware
    may vary on various machines
    https://blog.nviso.be/2017/06/30/recovering-custom-hashes-for-the-petyanotpetya-malware/

    View full-size slide

  35. Conditional paths
    • Does it always deploy the low-level
    attack?
    • No, if avp.exe (Kaspersky AV) is
    detected, it does not write the Petya
    kernel at the beginning of the disk...
    Instead, it overwrites those sectors
    with random data
    • No MFT encryption deployed
    https://securelist.com/no-free-pass-for-expetr/79008/
    avp.exe detected ->
    options2 &= 0xFFFFFFF7
    = -9 (4th bit is cleared)
    If avp
    detected,
    the buffer is
    written, but
    not filled
    with Petya’s
    code
    8 = 1000b (check 4-th bit)

    View full-size slide

  36. Conditional paths
    The options that are set are
    fewer than the options that are
    checked...
    Conclusion: some of the conditional flags
    are not implemented – it may be a hint that
    the malware is not finished and got
    released prematurely (tests?)
    Options2 checked:
    1,2,4,8,16
    avp.exe detected -> options2 &= 0xFFFFFFF7 =
    -9 (4th bit is cleared)
    NS.exe or ccSvcHst.exe detected -> options2
    &= 0xFFFFFFFB = -5 (3rd bit is cleared)

    View full-size slide

  37. Possible help?

    View full-size slide

  38. Decrypting Master File Table (Salsa20)
    • Bruteforcing the key is not possible
    • Plaintext attack on the ciphertext:
    • Possible due to an error in implementation of Salsa20.
    • Yet, may be difficult in real life scenarios...
    • There is a tool by CrowdStrike: https://www.crowdstrike.com/blog/decrypting-
    notpetya-tools-for-recovering-your-mft-after-an-attack/
    • Forensically carving files out of the disk... Conclusion: there is no perfect solution
    allowing to recover MFT and got all the data
    back.

    View full-size slide

  39. Decrypting files (AES + RSA)
    • Bruteforcing the key is not possible
    • Attackers were willingly to sell the key:
    Conclusion: there is no solution at the
    moment, as nobody bought the key

    View full-size slide

  40. Conclusions
    Looking at the code we can find many
    inconsistencies, that triggers doubts.
    - Was it a state sponsored attack on Ukraine?
    - Was it just an attack of unfinished ransomware?

    View full-size slide

  41. Links
    https://securelist.com/a-kings-ransom-it-is-not/79057/
    https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-
    adds-worm-capabilities/
    https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/
    https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-
    package/
    https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/
    https://labsblog.f-secure.com/2017/06/30/what-good-is-a-not-for-profit-eternal-petya/

    View full-size slide

  42. Questions? Remarks?
    More:
    https://blog.malwarebytes.com/?s=eternalpetya

    View full-size slide