Longitudinal research points to similarities between multiple campaigns by the TeleBots cybercriminal group in Ukraine, and aspects of their evolving toolset in attacks between December 2016 and March 2017, and the Diskcoder.C (aka Petya) outbreak that took place June 27, 2017.
“The parallels to the December 2016 attack against financial institutions, and the subsequent development of a Linux version of KillDisk malware used by TeleBots are strong clues. It was these indicators, alongside mounting attacks on computer systems in Ukraine, that warranted a deeper look at TeleBots,” said Senior ESET Malware Researcher, Anton Cherepanov.
TeleBots modus operandi has consistently been the use of KillDisk to overwrite files with specific extensions to victims’ disks. Thus, collecting ransom was unlikely to be their primary goal, as target files were not so much as encrypted, but overwritten. While, subsequent attacks did see the addition of encryption, contact information and other features of ransomware, the incidents still stood apart.
In 2017, between January and March, TeleBots attackers compromised a software company in Ukraine using VPN tunnels and gained access to the internal networks of several financial institutions, revealing an enhanced arsenal of Python coded tools. During the final stages of that campaign, they pushed ransomware using stolen Windows credentials and SysInternals PsExec. ESET products detected this new ransomware as Win32/Filecoder.NKH. It was followed by Linux ransomware, detected as Python/Filecoder.R, predictably written in Python.
Next, TeleBots unleashed Win32/Filecoder.AESNI.C (referred to as XData) on May 18, 2017. Spread mostly in Ukraine via an update of M.E.Doc a widely used financial software in Ukraine. According to ESET LiveGrid®, the malware was created right after software execution, allowing it lateral movement, automatically, inside a compromised company LAN. Despite ESET publishing a decryption tool for Win32/Filecoder.AESNI, the event didn’t gain much attention.
However, on June 27, the Petya-like outbreak (Diskcoder.C) that has compromised so many systems in both critical infrastructure and other businesses in Ukraine and beyond, appeared and displayed the ability to replace Master Boot Record (MBR) with its own malicious code, code borrowed from Win32/Diskcoder.Petya ransomware.
Diskcoder.C’s authors have modified the MBR code so that recovery in not possible and while displaying payment instructions, as we now know, the information is useless. Technically, there are many improvements (see the blog post here). Critically, once the malware is executed it attempts to spread using infamous EternalBlue exploit, leveraging DoublePulsar kernel mode backdoor. Exactly same method used in WannaCry ransomware.
The malware is also capable of spreading the same way as Win32/Filecoder.AESNI.C (aka XData) ransomware, using a lightweight version of Mimikatz to obtain passwords, then executing the malware using SysInternals PsExec. In addition, attackers have implemented third method to spread using a WMI mechanism.
All three methods have been used to spread malware inside LANs. But, unlike WannaCry malware, in this case the EternalBlue exploit is used by Diskcoder.C malware only against computers within internal address space.
Tying TeleBots to this activity also means understanding why the infections took hold in other countries, seemingly breaking its strong focus on Ukraine. We’ve zeroed in on VPN connections between users of M.E.Doc, its customers, and their global business partners. Additionally, M.E.Doc has an internal messaging and document exchange system, so attackers could send spearphishing messages to victims. Attackers also had access to the update server supplying legitimate software. Using access to this server, attackers pushed malicious updates applied automatically without user interaction.
“With such deep infiltration of M.E.Doc’s infrastructure and its clientele, the attackers had deep resources to spread Diskcoder.C. Despite some “collateral damage”, the attack demonstrated a deep understanding of the resources at their disposal. Furthermore, the additional capabilities of the EternalBlue exploit kit have added a unique dimension that the cybersecurity community will increasingly have to grapple with,” further remarked Senior ESET Malware Researcher, Anton Cherepanov.
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET was the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.