Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Security Case Study 2017: Petya/NotPetya – the...

hasherezade
September 14, 2017

Security Case Study 2017: Petya/NotPetya – the analysis of the mysterious malware which has attacked Ukraine

hasherezade

September 14, 2017
Tweet

More Decks by hasherezade

Other Decks in Research

Transcript

  1. Petya/NotPetya – the analysis of the mysterious malware which has

    attacked Ukraine Hasherezade (@hasherezade)
  2. Agenda •The outbreak •Behavioral analysis •Is it Petya? •Is it

    ransomware? •The propagation mechanism •The conditional features •Conclusions
  3. The outbreak • 27th June in Ukraine, affecting also neighboring

    countries, i.e. Poland • Source of the infection: M.E.Doc – tax accounting software company in Ukraine • Initial vector: a malicious update • As it turned out, the attackers resided on the M.E.Doc servers months before the outbreak
  4. A malware with various names • The authors didn’t name

    the malware at first. • Among the researchers it was refered as: Petya, Petya.A, NotPetya, ExPetr, Nyetya, EternalPetya, Petna, GoldenEye, PetrWrap... • In the later annoucements, attackers refered to it as Petya.A/NotPetya https://www.youtube.com/watch?v=Vor9sWpJQHw
  5. Behavior of the malware: High level attack 1. Encrypts files

    with selected extensions (using AES + RSA) https://www.youtube.com/watch?v=Vor9sWpJQHw 3ds 7z accdb ai asp aspx avhd back bak c cfg conf cpp cs ctl dbf disk djvu doc docx dwg eml fdb gz h hdd kdbx mail mdb msg nrg ora ost ova ovf pdf php pmf ppt pptx pst pvi py pyc rar rtf sln s ql tar vbox vbs vcb vdi vfd vmc vmdk vmsd vmx vsdx vsv work xls xlsx xvd zip
  6. Behavior of the malware: High level attack 2. Drops a

    ransom note: https://www.youtube.com/watch?v=Vor9sWpJQHw
  7. Behavior of the malware: High level attack 3. Reboot is

    scheduled: https://www.youtube.com/watch?v=Vor9sWpJQHw
  8. Behavior of the malware: High level attack 4. We can

    see the malware scanning our LAN, in order to spread to other machines... 5. Master Boot Record is overwritten with the malicious bootloader and the kernel, that is meant to deploy the low level attack after the reboot https://www.youtube.com/watch?v=Vor9sWpJQHw
  9. Behavior of the malware: Low level attack 1. When the

    machine boots again, the malicious kernel is loaded... https://www.youtube.com/watch?v=Vor9sWpJQHw This CHKDKS is fake! In reality the malware encrypts MFT using Salsa20 algorithm
  10. Behavior of the malware: Low level attack 2. After encrypting

    the MFT, the ransom demand is shown on the screen: https://www.youtube.com/watch?v=Vor9sWpJQHw The low level attack looks exactly like Petya, but the skull and the malware name are missing...
  11. Behavior summary 1. High level attack: encrypts files with selected

    extensions 2. Low level attack: encrypts Master File Table, making disk inaccassible 3. Spreads itself on other machines in the LAN (using i.e. NSA’s „Eternal” exploits) https://www.youtube.com/watch?v=Vor9sWpJQHw
  12. Almost all ransomware encrypts files one by one – Petya

    can do it as well But Petya has a unique feature: it attacks a bootloader, and then encrypts low-level structures on the disk (Master File Table) – making disk unreadable Do you remember last year’s Petya? https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas- demystifying-the-malware-family/
  13. • Petya comes in 3 flavors: Red, Green and golden

    (Goldeneye) • Each version introduced improvements • Latest versions were not decryptable Do you remember last year’s Petya? https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas- demystifying-the-malware-family/
  14. Do you remember last year’s Petya? •Dropper (Windows EXE), •

    overwrites the disk’s beginning with Petya kernel • Encrypts files with selected extensions, one by one •Petya kernel • perform the disk encryption (MFT) https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas- demystifying-the-malware-family/
  15. Behavior summary 1. High level attack: encrypts files with selected

    extensions 2. Low level attack: encrypts Master File Table, making disk inaccassible 3. Spreads itself on other machines in the LAN (using i.e. NSA’s „Eternal” exploits) https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas- demystifying-the-malware-family/
  16. The components involved • 71b6a493388e7d0b40c83ce903bc6b04 – the main DLL installed

    as: C:\Windows\perfc.dat Run by: rundll32.exe <path>,#1 • aeee996fd3484f28e5cd85fe26b6bdcd – a legitimate app incorporated by the malware: PsExec • Mimikatz-like components for stealing credentials (they are used for further spreading the malware in the LAN) • 2813d34f6197eb4df42c886ec7f234a1 – 32 bit version • 7e37ab34ecdcc3e77e24522ddfd4852d – 64 bit version • f3471d609077479891218b0f93a77ceb – the low level part (Petya MBR + kernel)
  17. Petya or not? Comparing the code... •The kernel of the

    new malware compared with the one from the latest Petya (Goldeneye) Differences exists, but they are minor. The code base is the same as Goldeneye Petya Conclusion: it is a Petya
  18. Petya or not? Comparing the code... •Let’s take a closer

    look at the differences... Conclusion: it is a Petya, but not a legitimate strain – not recompiled from the original source. The Petya kernel was pirated and stolen from the original author. Missing optimizations. This assembly code can never be generated if the code was recompiled. https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen- piece-package/
  19. Ransomware or not? •Yes, because it demaned a ransom and

    successfuly collected money •Not really, because paying the ransom cannot help a victim The victim ID is a random string, generated BEFORE the encryption key is made Conclusion: the attackers deliberately decided not to preserve the key https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/
  20. Ransomware or not? Conclusion: the attackers deliberately decided not to

    preserve the key. But why? • Unfinished work with a dummy text left? • Proof of the destructive intentions? https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/
  21. Ransomware or not? – Unfinished work? • Sometimes it happens,

    i.e. Satana ransomware, that was deployed in wild on a small scale, was also unfinished... https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/ It reads user input, but never process it. Original MBR cannot be recovered.
  22. Ransomware or not? – Unfinished work? • The authors of

    Petya.A/NotPetya tried to reimplement some features of the original Petya by their own, i.e. preserving the original MBR obfuscated by XOR with 0x7 Conclusion: redundant efforts in case of destructive intentions The original MBR is preserved in the sector 34 Accurate imitation of the original Petya’s behavior
  23. Ransomware or not? – Destructive intentions ? • Disruption attacks

    on Ukraine already happened in the past, so it may be their continuation... • However: if the ransomware is just a cover, why the authors didn’t finish the cover? The fact of not preserving the key could be easily obfuscated, i.e. pretending that it is sent to a dead CnC server... https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack
  24. What is new? 1. High level attack: encrypts files with

    selected extensions 2. Low level attack: encrypts Master File Table, making disk inaccassible 3. Spreads itself on other machines in the LAN (using i.e. NSA’s „Eternal” exploits)
  25. The infector •Two ways of spreading: 1. Using exploits leaked

    from the NSA: ETERNALBLUE, ETERNALROMANCE + DOUBLEPULSAR injector with minor modifications 2. Using conventional tools: PsExec, Wmic Conclusion: the infector is written by professionals Similarly to WannaCry ransomware, that used ETERNALBLUE https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/
  26. The infector: finding network targets •Targets are collected on a

    global list •Multiple sources: 1. command line argument (-h <ip>) 2. Scanning ports 139 and 445 in LAN 3. DHCP servers and clients (DhcpEnumServerClients) 4. Cached ARP entries (GetIpNetTable) 5. Active TCP connections (GetExtendedTcpTable) 6. ActiveDirectory domain (NetServerEnum) https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/ Conclusion: very scrupulous in finding network targets
  27. The infector: dumping credentials •The malware comes with a mimikatz-based

    tool for dumping credentials https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/ used for lateral movements credentials are sent to the malware over a pipe...
  28. Conditional paths The malware has several paths of execution. The

    flags are set depending on: • options1: based on privileges • options2: Installed AV products: avp.exe (Kaspersky), ccSvcHst.exe (Symantec), NS.exe (Norton Security) Conclusion: the behavior of the malware may vary on various machines https://blog.nviso.be/2017/06/30/recovering-custom-hashes-for-the-petyanotpetya-malware/
  29. Conditional paths • Does it always deploy the low-level attack?

    • No, if avp.exe (Kaspersky AV) is detected, it does not write the Petya kernel at the beginning of the disk... Instead, it overwrites those sectors with random data • No MFT encryption deployed https://securelist.com/no-free-pass-for-expetr/79008/ avp.exe detected -> options2 &= 0xFFFFFFF7 = -9 (4th bit is cleared) If avp detected, the buffer is written, but not filled with Petya’s code 8 = 1000b (check 4-th bit)
  30. Conditional paths The options that are set are fewer than

    the options that are checked... Conclusion: some of the conditional flags are not implemented – it may be a hint that the malware is not finished and got released prematurely (tests?) Options2 checked: 1,2,4,8,16 avp.exe detected -> options2 &= 0xFFFFFFF7 = -9 (4th bit is cleared) NS.exe or ccSvcHst.exe detected -> options2 &= 0xFFFFFFFB = -5 (3rd bit is cleared)
  31. Decrypting Master File Table (Salsa20) • Bruteforcing the key is

    not possible • Plaintext attack on the ciphertext: • Possible due to an error in implementation of Salsa20. • Yet, may be difficult in real life scenarios... • There is a tool by CrowdStrike: https://www.crowdstrike.com/blog/decrypting- notpetya-tools-for-recovering-your-mft-after-an-attack/ • Forensically carving files out of the disk... Conclusion: there is no perfect solution allowing to recover MFT and got all the data back.
  32. Decrypting files (AES + RSA) • Bruteforcing the key is

    not possible • Attackers were willingly to sell the key: Conclusion: there is no solution at the moment, as nobody bought the key
  33. Conclusions Looking at the code we can find many inconsistencies,

    that triggers doubts. - Was it a state sponsored attack on Ukraine? - Was it just an attack of unfinished ransomware?