Merhabalar,
Symantec raporuna göre bulgular hashler aşağıdaki gibi;
Preliminary Technical Details:
There are reports that the threat is initially introduced through a compromised
website/watering hole attack using a JavaScript
The JavaScript creates a pop-up to install a malicious Flash Player update
When the user clicks on the “Install” button, install_flash_player.exe is
downloaded from hxxp://1dnscontrol[.]com and executed.
This file is the main threat and scans for open shares within the environment
and then launches the Hacktool to harvest credentials in order to execute
infpub.dat from rundll.exe
It then uses DiskCryptor (legitimate software) as means to encrypt the hard
drive and dispci.exe to create the lock screen.
Coverage: On-Disk detection is now available for the main components of the
threat
install_flash_player.exe - Ransom.BadRabbit – Dropper component
MD5: fbbdc39af1139aebba4da004475e8839
SHA2: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
Total Cloud Protection(SEP14): Trojan Horse – Available now
Detected as: Ransom.BadRabbit RR Seq: 188194 – Ext: 20171024.016
infpub.dat - Ransom.BadRabbit – Main Threat/Encryptor component
MD5: 1d724f95c61f1055f0d02c2154bbccd3
SHA2: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
Total Cloud Protection(SEP14): Trojan Horse – Available now
Detected as: Ransom.BadRabbit - RR Seq: 188198 – Ext: 20171024.020
dispci.exe - Ransom.BadRabbit – ScreenLocker component
MD5: b14d8faf7f0cbcfad051cefe5f39645f
SHA2: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
Total Cloud Protection(SEP14): Trojan Horse – Available now
Detected as: Ransom.BadRabbit - RR Seq: 188198 – Ext: 20171024.020
TMP file - Ransom.BadRabbit – Hacktool component
MD5: 347ac3b6b791054de3e5720a7144a977
SHA2: 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
Detected as: Ransom.BadRabbit – RR Seq 188200 – Ext 20171024.022
TMP file - Ransom.BadRabbit – Hacktool component
MD5: 37945C44A897AA42A66ADCAB68F560E0
SHA2: 2F8C54F9FA8E47596A3BEFF0031F85360E56840C77F71C6A573ACE6F46412035
Detected as: Ransom.BadRabbit - RR Seq 188200 – Ext 20171024.022
page-main.js – From compromised website – Under research
Detected as: ??? pending
DiskCryptor - Legitimate disk encryption software (not detected)
MD5: edb72f4a46c39452d1a5414f7d26454a
SHA2: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6
Actions:
Block hxxp://1dnscontrol[.]com at the gateway
Blacklist known threat hashes (see above)
Consider blacklisting DiskCryptor hash (see above)
Mehmet Can TAŞ
---- On Sal, 24 Eki 2017 21:26:57 +0300 Hamza Şamlıoğlu
<[email protected]> wrote ----
Merhaba Arkadaşlar,
İnternette paylaşılan bilgilere göre sahte Adobe Flash güncellemesi ile
EthernalBlue exploitini kullanarak sistemlere bulaşan BadRabbit Ransomeware'ı
Türkiye, Rusya, Ukrayna ve Bulgaristan'da etkili olmaya başladı! BadRabbit aynı
zamanda sisteme bulaştıktan sonra Mimikatz'ı da kullandığı belirtiliyor.
Blog Yazısı:
https://www.bgasecurity.com/2017/10/badrabbit-ransomware-yayilmaya-basladi/
Saldırıya karşı dikkatli olmanızı tavsiye ederiz.
İyi çalışmalar.
Hamza Şamlıoğlu
http://teakolik.blog
PGP/GPG
-------------------------------------------------
Webinar - Yeni Nesil DDOS Saldırıları ve Savunma Yöntemleri
https://www.bgasecurity.com/yeni-nesil-ddos-saldirilari-ve-savunma-yontemleri/
-------------------------------------------------
-------------------------------------------------
Webinar - Yeni Nesil DDOS Saldırıları ve Savunma Yöntemleri
https://www.bgasecurity.com/yeni-nesil-ddos-saldirilari-ve-savunma-yontemleri/
-------------------------------------------------
