Security Case Study 2017: Petya/NotPetya – the analysis of the mysterious malware which has attacked Ukraine

Petya/NotPetya – the
analysis of the mysterious
malware which has attacked
Ukraine
Hasherezade (@hasherezade)

View Slide

Agenda
•The outbreak
•Behavioral analysis
•Is it Petya?
•Is it ransomware?
•The propagation mechanism
•The conditional features
•Conclusions

View Slide

Overview - how it
all started

View Slide

The outbreak
27th June...

View Slide

The outbreak
• 27th June in Ukraine, affecting also neighboring
countries, i.e. Poland
• Source of the infection: M.E.Doc – tax accounting
software company in Ukraine
• Initial vector: a malicious update
• As it turned out, the attackers resided on the
M.E.Doc servers months before the outbreak

View Slide

A malware with various names
• The authors didn’t name the malware at first.
• Among the researchers it was refered as:
Petya, Petya.A, NotPetya, ExPetr, Nyetya, EternalPetya,
Petna, GoldenEye, PetrWrap...
• In the later annoucements, attackers refered to it
as Petya.A/NotPetya
https://www.youtube.com/watch?v=Vor9sWpJQHw

View Slide

Behavioral analysis

View Slide

Behavior of the malware: High level attack
1. Encrypts files with selected extensions (using AES +
RSA)
3ds 7z accdb ai asp aspx avhd back bak c cfg conf cpp cs ctl dbf disk djvu doc docx
dwg eml fdb gz h hdd kdbx mail mdb msg nrg ora ost ova ovf pdf php pmf ppt pptx pst
pvi py pyc rar rtf sln s ql tar vbox vbs vcb vdi vfd vmc vmdk vmsd vmx vsdx vsv work
xls xlsx xvd zip

View Slide

2. Drops a ransom note:

View Slide

3. Reboot is scheduled:

View Slide

4. We can see the malware scanning our LAN, in
order to spread to other machines...
5. Master Boot Record is overwritten with the
malicious bootloader and the kernel, that is meant
to deploy the low level attack after the reboot

View Slide

Behavior of the malware: Low level attack
1. When the machine boots again, the malicious
kernel is loaded...
This CHKDKS is
fake! In reality the
malware encrypts
MFT using Salsa20
algorithm

View Slide

Behavior of the malware: Low level attack
2. After encrypting the MFT, the ransom demand is
shown on the screen:
The low level
attack looks exactly
like Petya, but the
skull and the
malware name are
missing...

View Slide

Behavior summary
1. High level attack: encrypts files with selected
extensions
2. Low level attack: encrypts Master File Table,
making disk inaccassible
3. Spreads itself on other machines in the LAN (using
i.e. NSA’s „Eternal” exploits)

View Slide

A new Petya/Goldeneye?
Last year’s edition of Petya:

View Slide

Almost all ransomware encrypts files
one by one – Petya can do it as well
But Petya has a unique feature: it attacks a
bootloader, and then encrypts low-level
structures on the disk (Master File Table) –
making disk unreadable
Do you remember last year’s Petya?
https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-
demystifying-the-malware-family/

View Slide

• Petya comes in 3 flavors:
Red, Green and golden
(Goldeneye)
• Each version introduced
improvements
• Latest versions were not
decryptable

View Slide

•Dropper (Windows EXE),
• overwrites the disk’s beginning with
Petya kernel
• Encrypts files with selected
extensions, one by one
•Petya kernel
• perform the disk encryption (MFT)

View Slide

Behavior summary
extensions

View Slide

Let’s have a
look inside...

View Slide

The components involved
• 71b6a493388e7d0b40c83ce903bc6b04 – the main DLL
installed as: C:\Windows\perfc.dat
Run by: rundll32.exe ,#1
• aeee996fd3484f28e5cd85fe26b6bdcd – a legitimate app incorporated by the
malware: PsExec
• Mimikatz-like components for stealing credentials (they are used for further
spreading the malware in the LAN)
• 2813d34f6197eb4df42c886ec7f234a1 – 32 bit version
• 7e37ab34ecdcc3e77e24522ddfd4852d – 64 bit version
• f3471d609077479891218b0f93a77ceb – the low level part (Petya MBR + kernel)

View Slide

Petya or not? Comparing the code...
•The kernel of the new malware compared with the one from the latest Petya
(Goldeneye)
Differences exists, but
they are minor. The
code base is the same
as Goldeneye Petya
Conclusion: it is a Petya

View Slide

Petya or not? Comparing the code...
•Let’s take a closer look at the differences...
Conclusion: it is a Petya, but not a legitimate strain – not recompiled from the original source. The Petya kernel
was pirated and stolen from the original author.
Missing
optimizations. This
assembly code can
never be
generated if the
code was
recompiled.
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-
piece-package/

View Slide

Ransomware or not?
•Yes, because it demaned a ransom and successfuly collected money
•Not really, because paying the ransom cannot help a victim
The victim ID is a
random string,
generated BEFORE the
encryption key is made
Conclusion: the attackers deliberately
decided not to preserve the key
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/

View Slide

Ransomware or not?
Conclusion: the attackers deliberately decided not to preserve the key.
But why?
• Unfinished work with a dummy text left?
• Proof of the destructive intentions?

View Slide

Ransomware or not? – Unfinished work?
• Sometimes it happens, i.e. Satana ransomware, that was deployed in wild on a
small scale, was also unfinished...
https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/
It reads user input, but
never process it.
Original MBR cannot
be recovered.

View Slide

Ransomware or not? – Unfinished work?
• The authors of Petya.A/NotPetya tried to reimplement some features of the
original Petya by their own, i.e. preserving the original MBR obfuscated by XOR
with 0x7
Conclusion: redundant efforts in case of
destructive intentions
The original
MBR is
preserved in
the sector 34
Accurate imitation of
the original Petya’s
behavior

View Slide

Ransomware or not? – Destructive intentions ?
• Disruption attacks on Ukraine already happened in the past, so it may be their
continuation...
• However: if the ransomware is just a cover, why the authors didn’t finish the
cover? The fact of not preserving the key could be easily obfuscated, i.e.
pretending that it is sent to a dead CnC server...
https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack

View Slide

What is new?
extensions

View Slide

The infector
•Two ways of spreading:
1. Using exploits leaked from the NSA:
ETERNALBLUE, ETERNALROMANCE +
DOUBLEPULSAR injector with minor
modifications
2. Using conventional tools: PsExec, Wmic
Conclusion: the infector is written by
professionals
Similarly to WannaCry
ransomware, that used
ETERNALBLUE
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/

View Slide

The infector: finding network targets
•Targets are collected on a global list
•Multiple sources:
1. command line argument (-h )
2. Scanning ports 139 and 445 in LAN
3. DHCP servers and clients (DhcpEnumServerClients)
4. Cached ARP entries (GetIpNetTable)
5. Active TCP connections (GetExtendedTcpTable)
6. ActiveDirectory domain (NetServerEnum)
Conclusion: very scrupulous in finding
network targets

View Slide

The infector: dumping credentials
•The malware comes with a mimikatz-based tool for dumping credentials
used for
lateral
movements
credentials are
sent to the
malware over a
pipe...

View Slide

Conditional paths

View Slide

Conditional paths
The malware has several paths of
execution. The flags are set
depending on:
• options1: based on privileges
• options2: Installed AV products:
avp.exe (Kaspersky), ccSvcHst.exe
(Symantec), NS.exe (Norton
Security) Conclusion: the behavior of the malware
may vary on various machines
https://blog.nviso.be/2017/06/30/recovering-custom-hashes-for-the-petyanotpetya-malware/

View Slide

Conditional paths
• Does it always deploy the low-level
attack?
• No, if avp.exe (Kaspersky AV) is
detected, it does not write the Petya
kernel at the beginning of the disk...
Instead, it overwrites those sectors
with random data
• No MFT encryption deployed
https://securelist.com/no-free-pass-for-expetr/79008/
avp.exe detected ->
options2 &= 0xFFFFFFF7
= -9 (4th bit is cleared)
If avp
detected,
the buffer is
written, but
not filled
with Petya’s
code
8 = 1000b (check 4-th bit)

View Slide

Conditional paths
The options that are set are
fewer than the options that are
checked...
Conclusion: some of the conditional flags
are not implemented – it may be a hint that
the malware is not finished and got
released prematurely (tests?)
Options2 checked:
1,2,4,8,16
avp.exe detected -> options2 &= 0xFFFFFFF7 =
-9 (4th bit is cleared)
NS.exe or ccSvcHst.exe detected -> options2
&= 0xFFFFFFFB = -5 (3rd bit is cleared)

View Slide

Possible help?

View Slide

Decrypting Master File Table (Salsa20)
• Bruteforcing the key is not possible
• Plaintext attack on the ciphertext:
• Possible due to an error in implementation of Salsa20.
• Yet, may be difficult in real life scenarios...
• There is a tool by CrowdStrike: https://www.crowdstrike.com/blog/decrypting-
notpetya-tools-for-recovering-your-mft-after-an-attack/
• Forensically carving files out of the disk... Conclusion: there is no perfect solution
allowing to recover MFT and got all the data
back.

View Slide

Decrypting files (AES + RSA)
• Bruteforcing the key is not possible
• Attackers were willingly to sell the key:
Conclusion: there is no solution at the
moment, as nobody bought the key

View Slide

Conclusions

View Slide

Conclusions
Looking at the code we can find many
inconsistencies, that triggers doubts.
- Was it a state sponsored attack on Ukraine?
- Was it just an attack of unfinished ransomware?

View Slide

Links
https://securelist.com/a-kings-ransom-it-is-not/79057/
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-
adds-worm-capabilities/
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-
package/
https://labsblog.f-secure.com/2017/06/30/what-good-is-a-not-for-profit-eternal-petya/

View Slide

Questions? Remarks?
More:
https://blog.malwarebytes.com/?s=eternalpetya

View Slide

Thank you!

View Slide

Security Case Study 2017: Petya/NotPetya – the analysis of the mysterious malware which has attacked Ukraine

Security Case Study 2017: Petya/NotPetya – the analysis of the mysterious malware which has attacked Ukraine

hasherezade

More Decks by hasherezade

Other Decks in Research

Featured

Transcript