This week has been abuzz with articles on the new Petya outbreak, now being commonly referred to as NotPetya. Initially, the new malware outbreak was observed to have many of the same characteristics of the Petya ransomware from last year as it rewrites the master boot record of victim's computer with a ransom note claiming that the disk has been encrypted and giving instructions on how to pay the ransom to recover files. Early on, differences in NotPetya were noted such as using a single email address as a point of contact rather than using the Tor network to facilitate ransom payment and recovery key distribution. On June 28th, https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b revealed that NotPetya is, in fact, a disk wiper and not ransomware, overwriting the disk in a way that is not reversible, likely much to the dismay of those infected.

A typical NotPetya attack we observed starts its life as an RTF file with a .doc extension attached to an email, although it has been reported to have been spread through a bug in MEDoc tax accounting software as well in a few cases. In the RTF attack vector, using a .doc file extension helps ensure that Microsoft Word is used to open the RTF file rather than WordPad, which is commonly the default application used to open RTF files on Windows. This leverages Windows' use of file extensions rather than detecting file types to determine what program opens a particular file. Attempting to ensure Word opens the file is important in this case due to the use of CVE-2017-0199 for this part of the attack. CVE-2017-0199 affects the HTA file handler to allow arbitrary code to be executed, in this case a block of obfuscated JavaScript inside a malformed OOXML file. The content type is declared as application/hta when the remote file is pulled down to trigger the vulnerability and execute the JavaScript within the file.




Since not everyone is an expert on what looks suspicious, protecting your company with malware detection and security tools is important as well. Even the best protection can be circumvented with enough effort, however, so it's important to not let security tools reduce one's awareness or vigilance. In campaigns like WannaCry and NotPetya where automated spreading through the network is built in, it only takes one infection to potentially put an entire network at risk. This makes it critical to ensure that all operating systems and software are up to date in order to mitigate spreading through exploits like EternalBlue and EternalRomance. Combining security tools with human diligence is key to preventing infections like this from taking place.
Jonathan Tanner is a Threat Research Engineer in our Campbell office. Connect with him on LinkedIn here.
Jonathan is a Senior Security Researcher at Barracuda Networks. Connect with him on LinkedIn here.