BadRabbit: a closer look at the new version of Petya/NotPetya | Advanced Mobile Spy Software
Petya/NotPetya (aka EternalPetya), made headlines in June, attacking users around the world. Today, we noted an outbreak of a similar-looking malware, called BadRabbit, probably prepared by the same authors. Just like the previous edition, BadRabbit has an infector allowing for lateral movements, using SMB to propagate laterally with a hardcoded list of usernames and passwords. However, unlike NotPetya, it doesn't use EternalBlue and is more widely spread. (Impacted countries include Ukraine, Russia, Turkey, and Bulgaria). Another key difference between Petya/NotPetya and BadRabbit is that the initial vector is different (a website dropping a fake Flash update). Also, some of its components have been replaced. The malware package is complex, and we will likely dedicate future articles to describing all its features. But let's have an initial look. Analyzed samples fbbdc39af1139aebba4da004475e8839 – the dropper (original dropped sample) 1d724f95c61f1055f0d02c2154bbccd3 – infpub.dat –