{ "id": "7d843814-1d2c-47e5-83ff-ef458d64ab90", "created_at": "2026-04-06T00:12:05.955668Z", "updated_at": "2026-04-10T03:26:53.228353Z", "deleted_at": null, "sha1_hash": "aa90bbd5b728b8a7f82267b1a22a745c65e87a85", "title": "Threat Spotlight: Follow the Bad Rabbit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 722775, "plain_text": "Threat Spotlight: Follow the Bad Rabbit\r\nBy Nick Biasini\r\nPublished: 2017-10-24 · Archived: 2026-04-05 22:40:42 UTC\r\nNote: This blog post discusses active research by Talos into a new threat. This information should be\r\nconsidered preliminary and will be updated as research continues.\r\nUpdate 2017-10-26 16:10 EDT: added additional information regarding the links between Nyetya and BadRabbit\r\nUpdate 2017-10-26 09:20 EDT: added additional information regarding the EternalRomance exploit\r\nUpdate 2017-10-25: added additional information regarding encryption and propagation methods\r\nOn October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across\r\neastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation\r\nand ensure that customers remain protected from this and other threats as they emerge across the threat landscape.\r\nThere have been several large scale ransomware campaigns over the last several months. This appears to have\r\nsome similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to\r\nhave been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we\r\nhave seen recently.\r\nDistribution\r\nTalos assesses with high confidence that a fake Flash Player update is being delivered via a drive-by-download\r\nand compromising systems. The sites that were seen redirecting to BadRabbit were a variety of sites that are based\r\nin Russia, Bulgaria, and Turkey.\r\nWhen users visited one of the compromised websites, they were redirected to 1dnscontrol[.]com, the site which\r\nwas hosting the malicious file. Before the actual malicious file was downloaded a POST request was observed to a\r\nstatic IP address (185.149.120[.]3). This request was found to be posting to a static path of \"/scholasgoogle\" and\r\nprovided the user agent, referring site, cookie, and domain name of the session. After the POST the dropper was\r\ndownloaded from two different paths from 1dnscontrol[.]com, /index.php and /flash_install.php. Despite two\r\npaths being utilized only a single file was downloaded. Based on current information, the malware appears to have\r\nbeen active for approximately six hours before the server 1dnscontrol[.]com was taken down. The initial\r\ndownload was observed around 2017-10-24 08:22 UTC.\r\nThe dropper (630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da) requires a user to\r\nfacilitate the infection and does not use any exploit to compromise the system directly. This dropper contains the\r\nBadRabbit ransomware. Once installed there is an SMB component used for lateral movement and further\r\ninfection. This appears to use a combination of an included list of weak credentials and a version of mimikatz\r\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 1 of 16\n\nsimilar to that which was used in Nyetya. Below is a list of the username/password combinations that we have\r\nobserved. Note there is overlap with the 1995 cult classic \"Hackers\".\r\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 2 of 16\n\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 3 of 16\n\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 4 of 16\n\nObserved Password List\r\nDespite initial reports, we currently have no evidence that the EternalBlue exploit is being leveraged. However,\r\nwe identified the usage of the EternalRomance exploit to propagate in the network. This exploit takes advantage\r\nof a vulnerability described in the Microsoft MS17-010 security bulletin. The vulnerability was also exploited\r\nduring the Nyetya campaign. Our research continues and we will update as we learn more.\r\nTechnical Details\r\nThe malware contains a dropper which is responsible for extracting and executing the worm payload. This\r\npayload contains additional binaries stored in the resources (compressed with zlib):\r\nlegitimate binaries associated with DiskCryptor (2 drivers x86/x64 and 1 client);\r\n2 mimikatz-like binaries (x86/x64) similar to the sample seen during Nyetya. A popular open source tool\r\nused for recovery of user credentials from computer memory using several different techniques. It drops\r\nfiles into the C:\\Windows\\ directory. The mimikatz-like binaries are executed using the same technique that\r\nwas leveraged in the Nyetya campaign. The communication between the payload and the stealer will be\r\nperformed by a named pipe, for example:\r\nC:\\WINDOWS\\561D.tmp \\\\.\\pipe\\{C1F0BF2D-8C17-4550-AF5A-65A22C61739C}\r\nThe malware then uses RunDLL32.exe to execute the malware and continue the malicious operations. The\r\nmalware then creates a scheduled task with the parameters shown in the screenshot below:\r\nEncryption is performed with 2 techniques:\r\nFull disk encryption with DiskCryptor (an open source disk encryption solution)\r\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 5 of 16\n\nIndividual file encryption Here is the list of the targeted extensions: .3ds .7z .accdb .ai .asm .asp .aspx\r\n.avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc\r\n.docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg\r\n.odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt\r\n.pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb\r\n.vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip\r\nIn addition to the aforementioned scheduled task, the malware creates a second scheduled task that is responsible\r\nfor rebooting the system. This second task does not occur instantaneously but is scheduled to occur later.\r\nIf the names for these scheduled tasks look familiar they appear to be a reference to Game of Thrones, specifically\r\nthey match the names of the dragons.\r\nThen the malware propagates itself in the network, the technique to enumerate the network systems is exactly the\r\nsame than Nyetya. It is performed by Microsoft Windows legitimate features, via:\r\nSVCCTL: the remote service management\r\nSMB2\r\nSMB\r\nNTLMSSP authentication brute force\r\nWMI\r\nAnd an exploit:\r\nEternalRomance\r\nThe malware also creates a file on the infected user's desktop called DECRYPT. Executing this file causes the\r\nfollowing ransom note to be displayed to victims.\r\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 6 of 16\n\nTo demonstrate how quickly these sorts of threats can propagate globally, the below graphic reflects the DNS\r\nrelated activity associated with one of the domains that were being used to distribute the fake Adobe Flash update\r\nthat was used to drop the malware on victims' systems.\r\nThe malware modifies the Master Boot Record (MBR) of the infected system's hard drive to redirect the boot\r\nprocess into the malware authors code for the purposes of displaying a ransom note. The ransom note that is\r\ndisplayed following the system reboot is below, and is very similar to the ransom notes displayed by other\r\nransomware variants, namely Petya, that we have observed in other notable attacks this year.\r\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 7 of 16\n\nThis is the payment page from the Tor site:\r\nEternalRomance Exploit  \r\nCisco Talos has identified an exploit in the BadRabbit sample. It is very similar to the publicly available Python\r\nimplementation of the EternalRomance exploit that is also exploited by Nyetya. However, the BadRabbit exploit\r\nimplementation is different than the one in Nyetya, although it is still largely based on the EternalRomance exploit\r\npublished in the ShadowBrokers leak.\r\nThe following screenshot shows that BadRabbit is building modified security context structures for various\r\noperating system versions:\r\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 8 of 16\n\nThe structures are obfuscated using an NOT operation. For example, here is the original value of\r\nWIN7_32_SESSION_INFO in the sample:\r\n\"\\xD5\\xFD\\xE3\\xFF\\xFE\\xFF\\xFF\\xFF\\xFF\\xFF\\xFF\\xFF\\xFF\\xFF\\xFF\\xFF\\xFD\\xFF\\xFF\\xFF\\xFF\\xFF\\xFF\\xFF\\xFE\"\r\nOnce decoded, the value of the buffer is:\r\n“2a\\x02\\x1c\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\r\nAfter updating the endian byte order and formatting to match a field in the WIN7_32_SESSION_INFO structure,\r\nthe value is\r\n0x001C022A, 0x00000001, 0x00000000, 0x00000000, 0x00000002, 0x00000000, 0x00000001\r\nThe extracted value matches the FAKE_SECCTX data in the publicly available EternalRomance exploit\r\nmentioned earlier:\r\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 9 of 16\n\nThe sample then parses an SMB response containing the kernel leak of the Frag pool structure:\r\nOnce again, the BadRabbit code matches the leak_frag_size() function in the public exploit.\r\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 10 of 16\n\nThe sample also checks the NT status code on an NT_Trans request after attempting to modify the data in another\r\nTransaction structure:\r\nThe same action is performed in the public exploit:\r\nAfter the NT Trans check, the sample sends multiple NT_TRANSACT_SECONDARY commands using different\r\nMultiplexID values.\r\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 11 of 16\n\nThe equivalent is also performed by the public exploit Python script implementation in the function write_data().\r\nFinally, we can confirm the findings of the static analysis by looking at the traffic generated by a pcap capture.\r\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 12 of 16\n\nThe sample first gets a FileID of 0x4000 and then the same value is used as a MultiplexID in an NT_Trans\r\nrequest:\r\nOnce again, this demonstrates a type confusion attempt similar to the one attempted by the EternalRomance\r\nexploit (the “Matched Pairs” technique). It matches the following Python code:\r\nWith all this in mind, we can be fairly confident that BadRabbit includes an EternalRomance implementation used\r\nto overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya it was used\r\nto install the DoublePulsar backdoor. Both actions are possible due to the fact that EternalRomance allows the\r\nattacker to read/write arbitrary data into the kernel memory space.\r\nLinks Between Nyetya and BadRabbit\r\nWe assess with high confidence:\r\nthat BadRabbit is built on the same core codebase as Nyetya.\r\nthat the build tool chain for BadRabbit is highly similar to the build tool chain for Nyetya.\r\nThe evasion techniques present in the modifications to the DoublePulsar backdoor in Nyetya and EternalRomance\r\nin BadRabbit demonstrate similar, advanced, levels of understanding of the exploits involved, the network\r\ndetections in place at the time of deployment, and general Windows kernel exploitation.\r\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 13 of 16\n\nThe shared codebase was modified for the BadRabbit build. Instead of leveraging PSEXEC, the remote file\r\nplacement and remote Windows Service management was directly implemented. A second export was added to the\r\ndll that allows the remote execution to restart itself in a new rundll32 process, possibly to avoid having the parent\r\nprocess be clearly started as a service. The SMB implementation that Nyetya contained for leveraging SMB\r\nexploits has been replaced with an entirely different SMB implementation as well as a different exploitation\r\ntechnique. The post-reboot drive encryption with Petya has been replaced with drive encryption with the open\r\nsource DiskCryptor.\r\nUnmodified functionality from Nyetya includes the self-relocation of the malicious dll, process and thread token\r\nmanipulations, network peer identification, and thread-safe collections for managing credentials and target\r\ninformation. Lightly modified functionality which demonstrates source level modifications are found in the flow\r\nof the malicious entrypoint, the interaction with the embedded and modified mimikatz, and in aspects of the\r\nsystem initialization and bitflag based feature control.\r\nWhile these links are not absolute proof, based on these findings Talos assesses with low confidence that the\r\nauthors of Nyetya and BadRabbit are the same.\r\nConclusion\r\nThis is yet another example of how effective ransomware can be delivered leveraging secondary propagation\r\nmethods such as SMB to proliferate. In this example the initial vector wasn't a sophisticated supply chain attack.\r\nInstead it was a basic drive-by-download leveraging compromised websites. This is quickly becoming the new\r\nnormal for the threat landscape. Threats spreading quickly, for a short window, to inflict maximum damage.\r\nRansomware is the threat of choice for both its monetary gain as well as destructive nature. As long as there is\r\nmoney to be made or destruction to be had these threats are going to continue.\r\nThis threat also amplifies another key area that needs to be addressed, user education. In this attack the user needs\r\nto facilitate the initial infection. If a user doesn't help the process along by installing the flash update it would be\r\nbenign and not wreak the devastation it has across the region. Once a user facilitates the initial infection the\r\nmalware leverages existing methods, such as SMB, to propagate around the network without user interaction.\r\nCoverage\r\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 14 of 16\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nNetwork Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated\r\nwith this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nEmail has not been identified as an attack vector at this time. The malware, if transferred across these systems on\r\nyour networks, will be blocked.\r\nIndicators of Compromise\r\nHashes (SHA256)\r\nDropper:\r\n630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da\r\nPayload:\r\n8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 C:\\Windows\\dispci.exe\r\n(diskcryptor client)\r\n682ADCB55FE4649F7B22505A54A9DBC454B4090FC2BB84AF7DB5B0908F3B7806\r\nC:\\Windows\\cscc.dat (x32 diskcryptor drv)\r\n0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 C:\\Windows\\cscc.dat (x64\r\ndiskcryptor drv)\r\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 15 of 16\n\n579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648\r\nC:\\Windows\\infpub.dat\r\n2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 (mimikatz-like x86)\r\n301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c (mimikatz-like x64)\r\nScheduled Tasks names\r\nviserion_\r\nrhaegal\r\ndrogon\r\nDomains\r\nDistribution domain:\r\n1dnscontrol[.]com\r\nDistribution Paths:\r\n/flash_install.php\r\n/index.php\r\nIntermediary Server:\r\n185.149.120[.]3\r\nReferrer Sites:\r\nArgumentiru[.]com\r\nFontanka[.]ru\r\nAdblibri[.]ro\r\nSpbvoditel[.]ru\r\nGrupovo[.]bg\r\nwww.sinematurk[.]com\r\nHidden service:\r\ncaforssztxqzf2nm[.]onion\r\nSource: https://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\r\nPage 16 of 16\n\n https://blog.talosintelligence.com/2017/10/bad-rabbit.html \nThe sample then parses an SMB response containing the kernel leak of the Frag pool structure:\nOnce again, the BadRabbit code matches the leak_frag_size() function in the public exploit.\n Page 10 of 16 \n\n https://blog.talosintelligence.com/2017/10/bad-rabbit.html \nThe equivalent is also performed by the public exploit Python script implementation in the function write_data().\nFinally, we can confirm the findings of the static analysis by looking at the traffic generated by a pcap capture.\n Page 12 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.talosintelligence.com/2017/10/bad-rabbit.html" ], "report_names": [ "bad-rabbit.html" ], "threat_actors": [ { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434325, "ts_updated_at": 1775791613, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa90bbd5b728b8a7f82267b1a22a745c65e87a85.pdf", "text": "https://archive.orkl.eu/aa90bbd5b728b8a7f82267b1a22a745c65e87a85.txt", "img": "https://archive.orkl.eu/aa90bbd5b728b8a7f82267b1a22a745c65e87a85.jpg" } }