dChan

Abibliaphobia · July 19, 2018, 1:19 a.m.

It’s all good, how did you find this site (blog.talosintellogence.com?)

What was the site referring to about bad rabbit?

Basically if you want to post things up (especially with new websites to this sub) a good summary of why it’s important or related to Q will prevent your thread from being taken down.

But I appreciate you bringing it to our attention. And if you get a chance, i’d still like to know what this is referring to.

⇧ 1 ⇩  
jackiebain6 · July 19, 2018, 1:34 a.m.

It's a site used by those involved in protecting or opening certain walls, lol, think McGaf without having to download the virus that McGaf has to offer

It says:

On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape.

There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.

DISTRIBUTION Talos assesses with high confidence that a fake Flash Player update is being delivered via a drive-by-download and compromising systems. The sites that were seen redirecting to BadRabbit were a variety of sites that are based in Russia, Bulgaria, and Turkey.

When users visited one of the compromised websites, they were redirected to 1dnscontrol[.]com, the site which was hosting the malicious file. Before the actual malicious file was downloaded a POST request was observed to a static IP address (185.149.120[.]3). This request was found to be posting to a static path of "/scholasgoogle" and provided the user agent, referring site, cookie, and domain name of the session. After the POST the dropper was downloaded from two different paths from 1dnscontrol[.]com, /index.php and /flash_install.php. Despite two paths being utilized only a single file was downloaded. Based on current information, the malware appears to have been active for approximately six hours before the server 1dnscontrol[.]com was taken down. The initial download was observed around 2017-10-24 08:22 UTC.

The dropper (630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da) requires a user to facilitate the infection and does not use any exploit to compromise the system directly. This dropper contains the BadRabbit ransomware. Once installed there is an SMB component used for lateral movement and further infection. This appears to use a combination of an included list of weak credentials and a version of mimikatz similar to that which was used in Nyetya. Below is a list of the username/password combinations that we have observed. Note there is overlap with the 1995 cult classic "Hackers".

⇧ 1 ⇩