1. Home
  2. Software
  3. Bad Rabbit

Bad Rabbit

Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [1][2][3]

ID: S0606
Associated Software: Win32/Diskcoder.D
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 09 February 2021
Last Modified: 17 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Bad Rabbit has attempted to bypass UAC and gain elevated administrative privileges.[1]
Enterprise T1110 .003 Brute Force: Password Spraying

Bad Rabbit’s infpub.dat file uses NTLM login credentials to brute force Windows machines.[1]
Enterprise T1486 Data Encrypted for Impact

Bad Rabbit has encrypted files and disks using AES-128-CBC and RSA-2048.[1]
Enterprise T1189 Drive-by Compromise

Bad Rabbit spread through watering holes on popular sites by injecting JavaScript into the HTML body or a .js file.[2][1]
Enterprise T1210 Exploitation of Remote Services

Bad Rabbit used the EternalRomance SMB exploit to spread through victim networks.[1]
Enterprise T1495 Firmware Corruption

Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Bad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.[2][1]
Enterprise T1106 Native API

Bad Rabbit has used various Windows API calls.[2]
Enterprise T1135 Network Share Discovery

Bad Rabbit enumerates open SMB shares on internal victim networks.[2]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Bad Rabbit has used Mimikatz to harvest credentials from the victim's machine.[2]
Enterprise T1057 Process Discovery

Bad Rabbit can enumerate all running processes to compare hashes.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Bad Rabbit’s infpub.dat file creates a scheduled task to launch a malicious executable.[1]
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Bad Rabbit has used rundll32 to launch a malicious DLL as C:Windowsinfpub.dat.[1]
Enterprise T1569 .002 System Services: Service Execution

Bad Rabbit drops a file named infpub.datinto the Windows directory and is executed through SCManager and rundll.exe.
Enterprise T1204 .002 User Execution: Malicious File

Bad Rabbit has been executed through user installation of an executable disguised as a flash installer.[2][1]

Groups That Use This Software

ID Name References
G0034 Sandworm Team

[4]

References

  1. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
  2. M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.
  1. Slowik, J.. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved January 28, 2021.
  2. Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.