Petya/NotPetya – the analysis of the mysterious malware which has attacked Ukraine Hasherezade (@hasherezade)

Agenda •The outbreak •Behavioral analysis •Is it Petya? •Is it ransomware? •The propagation mechanism •The conditional features •Conclusions

Overview - how it all started

The outbreak 27th June...

The outbreak • 27th June in Ukraine, affecting also neighboring countries, i.e. Poland • Source of the infection: M.E.Doc – tax accounting software company in Ukraine • Initial vector: a malicious update • As it turned out, the attackers resided on the M.E.Doc servers months before the outbreak

A malware with various names • The authors didn’t name the malware at first. • Among the researchers it was refered as: Petya, Petya.A, NotPetya, ExPetr, Nyetya, EternalPetya, Petna, GoldenEye, PetrWrap... • In the later annoucements, attackers refered to it as Petya.A/NotPetya https://www.youtube.com/watch?v=Vor9sWpJQHw

Behavioral analysis

Behavior of the malware: High level attack 1. Encrypts files with selected extensions (using AES + RSA) https://www.youtube.com/watch?v=Vor9sWpJQHw 3ds 7z accdb ai asp aspx avhd back bak c cfg conf cpp cs ctl dbf disk djvu doc docx dwg eml fdb gz h hdd kdbx mail mdb msg nrg ora ost ova ovf pdf php pmf ppt pptx pst pvi py pyc rar rtf sln s ql tar vbox vbs vcb vdi vfd vmc vmdk vmsd vmx vsdx vsv work xls xlsx xvd zip

Behavior of the malware: High level attack 2. Drops a ransom note: https://www.youtube.com/watch?v=Vor9sWpJQHw

Behavior of the malware: High level attack 3. Reboot is scheduled: https://www.youtube.com/watch?v=Vor9sWpJQHw

Behavior of the malware: High level attack 4. We can see the malware scanning our LAN, in order to spread to other machines... 5. Master Boot Record is overwritten with the malicious bootloader and the kernel, that is meant to deploy the low level attack after the reboot https://www.youtube.com/watch?v=Vor9sWpJQHw

Behavior of the malware: Low level attack 1. When the machine boots again, the malicious kernel is loaded... https://www.youtube.com/watch?v=Vor9sWpJQHw This CHKDKS is fake! In reality the malware encrypts MFT using Salsa20 algorithm

Behavior of the malware: Low level attack 2. After encrypting the MFT, the ransom demand is shown on the screen: https://www.youtube.com/watch?v=Vor9sWpJQHw The low level attack looks exactly like Petya, but the skull and the malware name are missing...

Behavior summary 1. High level attack: encrypts files with selected extensions 2. Low level attack: encrypts Master File Table, making disk inaccassible 3. Spreads itself on other machines in the LAN (using i.e. NSA’s „Eternal” exploits) https://www.youtube.com/watch?v=Vor9sWpJQHw

A new Petya/Goldeneye? Last year’s edition of Petya:

Almost all ransomware encrypts files one by one – Petya can do it as well But Petya has a unique feature: it attacks a bootloader, and then encrypts low-level structures on the disk (Master File Table) – making disk unreadable Do you remember last year’s Petya? https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas- demystifying-the-malware-family/

• Petya comes in 3 flavors: Red, Green and golden (Goldeneye) • Each version introduced improvements • Latest versions were not decryptable Do you remember last year’s Petya? https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas- demystifying-the-malware-family/

Do you remember last year’s Petya? •Dropper (Windows EXE), • overwrites the disk’s beginning with Petya kernel • Encrypts files with selected extensions, one by one •Petya kernel • perform the disk encryption (MFT) https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas- demystifying-the-malware-family/

Behavior summary 1. High level attack: encrypts files with selected extensions 2. Low level attack: encrypts Master File Table, making disk inaccassible 3. Spreads itself on other machines in the LAN (using i.e. NSA’s „Eternal” exploits) https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas- demystifying-the-malware-family/

Let’s have a look inside...

The components involved • 71b6a493388e7d0b40c83ce903bc6b04 – the main DLL installed as: C:\Windows\perfc.dat Run by: rundll32.exe ,#1 • aeee996fd3484f28e5cd85fe26b6bdcd – a legitimate app incorporated by the malware: PsExec • Mimikatz-like components for stealing credentials (they are used for further spreading the malware in the LAN) • 2813d34f6197eb4df42c886ec7f234a1 – 32 bit version • 7e37ab34ecdcc3e77e24522ddfd4852d – 64 bit version • f3471d609077479891218b0f93a77ceb – the low level part (Petya MBR + kernel)

Petya or not? Comparing the code... •The kernel of the new malware compared with the one from the latest Petya (Goldeneye) Differences exists, but they are minor. The code base is the same as Goldeneye Petya Conclusion: it is a Petya

Petya or not? Comparing the code... •Let’s take a closer look at the differences... Conclusion: it is a Petya, but not a legitimate strain – not recompiled from the original source. The Petya kernel was pirated and stolen from the original author. Missing optimizations. This assembly code can never be generated if the code was recompiled. https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen- piece-package/

Ransomware or not? •Yes, because it demaned a ransom and successfuly collected money •Not really, because paying the ransom cannot help a victim The victim ID is a random string, generated BEFORE the encryption key is made Conclusion: the attackers deliberately decided not to preserve the key https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/

Ransomware or not? Conclusion: the attackers deliberately decided not to preserve the key. But why? • Unfinished work with a dummy text left? • Proof of the destructive intentions? https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/

Ransomware or not? – Unfinished work? • Sometimes it happens, i.e. Satana ransomware, that was deployed in wild on a small scale, was also unfinished... https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/ It reads user input, but never process it. Original MBR cannot be recovered.

Ransomware or not? – Unfinished work? • The authors of Petya.A/NotPetya tried to reimplement some features of the original Petya by their own, i.e. preserving the original MBR obfuscated by XOR with 0x7 Conclusion: redundant efforts in case of destructive intentions The original MBR is preserved in the sector 34 Accurate imitation of the original Petya’s behavior

Ransomware or not? – Destructive intentions ? • Disruption attacks on Ukraine already happened in the past, so it may be their continuation... • However: if the ransomware is just a cover, why the authors didn’t finish the cover? The fact of not preserving the key could be easily obfuscated, i.e. pretending that it is sent to a dead CnC server... https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack

What is new? 1. High level attack: encrypts files with selected extensions 2. Low level attack: encrypts Master File Table, making disk inaccassible 3. Spreads itself on other machines in the LAN (using i.e. NSA’s „Eternal” exploits)

The infector •Two ways of spreading: 1. Using exploits leaked from the NSA: ETERNALBLUE, ETERNALROMANCE + DOUBLEPULSAR injector with minor modifications 2. Using conventional tools: PsExec, Wmic Conclusion: the infector is written by professionals Similarly to WannaCry ransomware, that used ETERNALBLUE https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/

The infector: finding network targets •Targets are collected on a global list •Multiple sources: 1. command line argument (-h ) 2. Scanning ports 139 and 445 in LAN 3. DHCP servers and clients (DhcpEnumServerClients) 4. Cached ARP entries (GetIpNetTable) 5. Active TCP connections (GetExtendedTcpTable) 6. ActiveDirectory domain (NetServerEnum) https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/ Conclusion: very scrupulous in finding network targets

The infector: dumping credentials •The malware comes with a mimikatz-based tool for dumping credentials https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/ used for lateral movements credentials are sent to the malware over a pipe...

Conditional paths

Conditional paths The malware has several paths of execution. The flags are set depending on: • options1: based on privileges • options2: Installed AV products: avp.exe (Kaspersky), ccSvcHst.exe (Symantec), NS.exe (Norton Security) Conclusion: the behavior of the malware may vary on various machines https://blog.nviso.be/2017/06/30/recovering-custom-hashes-for-the-petyanotpetya-malware/

Conditional paths • Does it always deploy the low-level attack? • No, if avp.exe (Kaspersky AV) is detected, it does not write the Petya kernel at the beginning of the disk... Instead, it overwrites those sectors with random data • No MFT encryption deployed https://securelist.com/no-free-pass-for-expetr/79008/ avp.exe detected -> options2 &= 0xFFFFFFF7 = -9 (4th bit is cleared) If avp detected, the buffer is written, but not filled with Petya’s code 8 = 1000b (check 4-th bit)

Conditional paths The options that are set are fewer than the options that are checked... Conclusion: some of the conditional flags are not implemented – it may be a hint that the malware is not finished and got released prematurely (tests?) Options2 checked: 1,2,4,8,16 avp.exe detected -> options2 &= 0xFFFFFFF7 = -9 (4th bit is cleared) NS.exe or ccSvcHst.exe detected -> options2 &= 0xFFFFFFFB = -5 (3rd bit is cleared)

Possible help?

Decrypting Master File Table (Salsa20) • Bruteforcing the key is not possible • Plaintext attack on the ciphertext: • Possible due to an error in implementation of Salsa20. • Yet, may be difficult in real life scenarios... • There is a tool by CrowdStrike: https://www.crowdstrike.com/blog/decrypting- notpetya-tools-for-recovering-your-mft-after-an-attack/ • Forensically carving files out of the disk... Conclusion: there is no perfect solution allowing to recover MFT and got all the data back.

Decrypting files (AES + RSA) • Bruteforcing the key is not possible • Attackers were willingly to sell the key: Conclusion: there is no solution at the moment, as nobody bought the key

Conclusions

Conclusions Looking at the code we can find many inconsistencies, that triggers doubts. - Was it a state sponsored attack on Ukraine? - Was it just an attack of unfinished ransomware?

Links https://securelist.com/a-kings-ransom-it-is-not/79057/ https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya- adds-worm-capabilities/ https://www.esentire.com/blog/a-closer-look-at-petyasnotpetyas-network-spreading-code/ https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece- package/ https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/ https://labsblog.f-secure.com/2017/06/30/what-good-is-a-not-for-profit-eternal-petya/

Questions? Remarks? More: https://blog.malwarebytes.com/?s=eternalpetya

Thank you!