When WannaCry hit, the news sent shivers down the world. Reports of hospital outages and super secret tools used by the NSA (Equation Group) that could hack into any version of Windows was released to the public. During this period of time, the community warned of more waves were soon to come. This started yesterday around June 26, 2017 primarily in Ukraine and Binary Defense started to see some of the first large infections of Petya (or some calling it NotPetya) happening at other geographic locations early this morning. On the surface, this appeared to be another EternalBlue/MS17-010 campaign being used on the surface and a new variant. No-one at the time knew exactly how the infection methods were being used, but multiple companies jumped the gun and reports claimed multiple avenues including HTA attack vectors, email campaigns with attached word and excel documents.

The motives of the malware authors are unknown - the interesting part is the geographic/demographics of who this specific attack was designed for (Ukraine). Additionally, the software was designed well - unlike WannaCry which was rudimentary in nature but had a terrible backend infrastructure to make payments for the ransom. While we can't determine where this specific attack came from, the motives of targeting Ukrainians, the development, and how it was deployed would indicate possible nation state motivations and not ransomware. Regardless, it had a large impact in a short period of time and caused substantial damage to organizations impacted by this.

So What Really Happened?

A third party software called M.E. Doc (MeDoc) which, is an accounting software primarily used in the Ukraine was compromised. With any of these early warning signs, there is a lot of information and data to cut through before actually coming to a factual conclusion. Other vectors such as documents, excel, and obfuscated HTA's seem to be confused reports on another campaign called the Loki Bot. Based on the analysis, if any organization had MeDoc installed, they would be impacted as soon as it was updated. MeDoc is a required software out of Ukraine - so there was a large footprint here from Ukraine-based companies and orgnaizations that do business in Ukraine. There is substantial evidence supporting this as the main method and has been confirmed by multiple organizations including Binary Defense.

Initial reports look as if a hosting server upd.me-doc.com.ua (owned by me-doc) pushed an update which was 333KB in size. Once the file was updated, this is when much of the magic started to happen.

Why Everyone Freaked

Unlike WannaCry, Petya used multiple techniques in order to compromise hosts in a very fast timeframe. The first technique was using the EternalBlue (MS17-010) exploit. While this was occurring, other scenarios happened on the system:

1. An older version of psexec v1.98 is dropped onto the system under C:\Windows\dllhost.dat. Why the version is important is that in version 2.1 of psexec, encryption was introduced for credential authentication. If monitoring command line arguments in v1.98, you can see the clear-text passwords for authentication in this specific variant (good indicator of actual accounts that were used and the passwords compromised).

2. A technique used by Mimikatz and other tools leveraging lsadump to dump passwords from memory is used in order to extract clear-text passwords from memory. These are parsed, and then used by WMIC and PSEXEC. We can clearly see clear-text passwords being used when executing the WMIC and PSEXEC command line.

3. PSEXEC and WMIC are used in order to attempt to spread across the network using the extracted credentials. For both PSEXEC and WMIC methods to work, the ADMIN$ hidden share needs to be exposed and successful authentication in order to connect to the remote system.

Below is a screenshot of the service creation starting for psexec:

4. A file is placed under C:\Windows\perfc.dat which contains the bulk of the code to perform post exploitation scenarios including encryption and additional lateral movement using WMIC and PSEXEC. Once perfc.dat written to disk, perfc.dat is called by rundll32.exe and used to import into memory and begin its attacks.

Once successful, a scheduled task is run:

schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST XX:XX"

Below is the image once your system is forced to reboot:

The system would restart in about an hour. During this period of time specific file types are encrypted.

Below is a screenshot of HoneyDocs being overwritten on the filesystem:

For the rundll32, you can clearly see the import and execution of code:

Note that the clear-text passwords of username/pw are presented due to the legacy version of psexec. Since the time of the ransomware, the email address (wowsmith123456 [at] posteo.net) that was used to contact for the recovery key was suspended and recovering the files is not possible (at this time). This means do not pay the ransom.

The ability to extract clear-text passwords from memory, and move laterally using psexec and WMI on top of using EternalBlue make this specific ransomware attack particularly damaging. We have seen upwards to 5,000 endpoints compromised in less than 15 minutes. These techniques are often used by attackers on a regular basis, but the automation components and destructiveness puts this variant into a whole different ballgame.

Again, these are all techniques leveraged by more targeted attacks and known for years. The tactics and automation used in these cases and the "wormable" component of EternalBlue make this specific Ransomware extremely damaging for organizations and the reason for the panic.

How to Protect

First, one of the main samples and hashes can be found at VirusTotal. SHA256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

Second, through our analysis, Binary Defense discovered that by either placing the file C:\Windows\perfc.dat or by denying filewrites to C:\Windows\perfc.dat - this effectively killed the effectiveness of the ransomware and stopped the replication/spreading of the worm:

This can be accomplished through group policy by creating a file in the directory. If the perfc.dat file is in place, the malicious software does not overwrite and effectively fixes the issue.

Image screenshot credit @TonikJDK and @0daydorpher

This attack solely relied off of a user having administrative level rights on the system that was impacted and from there moving across the network with those credentials. Account/password re-use needs to be addressed and having limited user rights on systems would have reduced the impact and effectiveness of this attack.

What this Attack Tells Us

What this attack tells us is that automation around lateral movement and targeted attacks is a problem. Password reuse continues to be the number one method for attacks to move laterally to different systems. Users that have Internet access and have local administrative rights is a complete pandemic in a number of organizations. This needs to change. What we can take away from these specific attacks is that we need to focus on best practices. Everything that has been touted in the security industry as a way to enhance the overall security program would have worked in this scenario.

1. Proper patch management - stopped the EternalBlue method
2. No Administrative level rights - stopped the propagation and clear-text extraction of hashes.

The file dropping of perfc.dat is only a temporary solution. More proactive measures to eliminate the threat need to be investigated. If proven true, the MeDoc will be slightly contained to Ukrainian companies or organizations that do business in the Ukraine. This could have been much. MUCH worse.

Special thanks to a number of folks that helped with up-to-date information during the process: @HackingDave (Binary Defense CTO), @0xAmit, and @HackerFantastic

Misc. Indicators and Information

WMI call: process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\perfc.dat\\\" #1

Targeted Extensions (@GasGeverij):


David Kennedy

Written by David Kennedy