NotPetya – Both More and Less than it Seems

This week has been abuzz with articles on the new Petya outbreak, now being commonly referred to as NotPetya. Initially, the new malware outbreak was observed to have many of the same characteristics of the Petya ransomware from last year as it rewrites the master boot record of victim's computer with a ransom note claiming that the disk has been encrypted and giving instructions on how to pay the ransom to recover files. Early on, differences in NotPetya were noted such as using a single email address as a point of contact rather than using the Tor network to facilitate ransom payment and recovery key distribution. On June 28th, https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b revealed that NotPetya is, in fact, a disk wiper and not ransomware, overwriting the disk in a way that is not reversible, likely much to the dismay of those infected.

Click here for larger image

A typical NotPetya attack we observed starts its life as an RTF file with a .doc extension attached to an email, although it has been reported to have been spread through a bug in MEDoc tax accounting software as well in a few cases. In the RTF attack vector, using a .doc file extension helps ensure that Microsoft Word is used to open the RTF file rather than WordPad, which is commonly the default application used to open RTF files on Windows. This leverages Windows' use of file extensions rather than detecting file types to determine what program opens a particular file. Attempting to ensure Word opens the file is important in this case due to the use of CVE-2017-0199 for this part of the attack. CVE-2017-0199 affects the HTA file handler to allow arbitrary code to be executed, in this case a block of obfuscated JavaScript inside a malformed OOXML file. The content type is declared as application/hta when the remote file is pulled down to trigger the vulnerability and execute the JavaScript within the file.

Click here for larger imageThe JavaScript immediately hides the window it creates, then uses ActiveX to find a path to download the NotPetya payload to and run a PowerShell script that downloads and executes the payload from a hacked site. The script tries to detect and handle errors during execution to avoid alerting the user to its presence.

Click here for larger imageThe NotPetya payload itself looks for credentials to steal on the victim's computer such as passwords saved by web-browsers, checks for privilege escalation attempts on the network to spread itself through, tries to leverage CVE-2017-0144 also known as EternalBlue and CVE-2017-0145 also known as EternalRomance to spread through the network, and finally runs its Petya-like fake ransomware routine to corrupt the victim's hard drive and issue the fake ransom note after a reboot.

Click here for larger imageIt's likely the fake ransomware part of the malware was a two-fold strategy of delaying discovery of stolen credentials and trying to make some quick money. Even with actual ransomware, there is no guarantee that paying the ransom will result in recovering files, although not doing so does hurt the ransomware business model as it lowers the incentive for victims to pay the ransom. Of course, getting to this decision is the worst case scenario. Prevention is the key and preventing NotPetya infections is not unlike preventing any other malware infection, possibly with the exception of the few MEDoc cases where vendor updates caused the infection through legitimate channels.

Click here for larger imageIt's crucial to remain vigilant when dealing with the most common attack vectors for malware, namely email and the Internet. Suspicious emails and attachments should be avoided, or in the case of spear phishing attempts where the email seems to be from a legitimate sender, verify with the sender through some other communication means that the email is legitimate. Avoiding suspicious sites and advertisements on the Internet is also critical, as well as suspicious links in email.

Since not everyone is an expert on what looks suspicious, protecting your company with malware detection and security tools is important as well. Even the best protection can be circumvented with enough effort, however, so it's important to not let security tools reduce one's awareness or vigilance. In campaigns like WannaCry and NotPetya where automated spreading through the network is built in, it only takes one infection to potentially put an entire network at risk. This makes it critical to ensure that all operating systems and software are up to date in order to mitigate spreading through exploits like EternalBlue and EternalRomance. Combining security tools with human diligence is key to preventing infections like this from taking place.

---

Jonathan Tanner is a Threat Research Engineer in our Campbell office. Connect with him on LinkedIn here.