Virsec Hack Analysis Lab: Deep Dive into NotPetya

NotPetya is a variant of the Petya is a family of ransomware that was first discovered in 2016. These attacks target Windows systems, executing a payload that encrypts a hard drive's file system table, preventing Windows from booting.

Background

The attacker then typically demands a ransom payment in Bitcoin to restore access to the system. The name originates from the 1995 James Bond movie Golden Eye in which the weaponized Petya satellite threatened to detonate a low-earth orbit atomic explosion, producing a destructive electromagnetic pulse. Although the malware version is less cinematic, it has left a global trail of destruction.

The more recent variants (labeled NotPetya to distinguish them from the original 2016 version) have been used in recent major cyberattacks, including WannaCry, and attacks on Ukrainian power plants, propagating via the NSA’s EternalBlue or similar exploits.

The jury is out on how NotPetya was first delivered but most believe it was part of a software update package for a Ukrainian Tax Accounting software called MeDoc. Despite rumors, there is no evidence that NotPetya involved phishing or exploiting vulnerabilities in Microsoft Office documents.

Infiltration Phase

The initial malware was packaged into a file called perfc.dat that was downloaded into the C:\ Windows directory of the victim – possibly through software updates. This malware had three other executables embedded in the resource (.rsrc) section which in turn was compressed with the zlib utility.

The first two executables are used to recover user credentials by either asking the LSASS Service for the clear text password (prior to Windows 8.1) or password hash (Windows 8.1 onwards), similar to how the Mimikatz open source credential miner operates. The third executable is the tool PSExec.

Pivot Phase

The main executable, perfc.dat contains an exported function whose job is to discover other machines in the domain. The malware does that and scans for machines that have port TCP 139 open. It then uses one or more of the four mechanisms below to infect the newly discovered machines:

  1. EternalBlue – leveraged the SMBv1 vulnerability and attacks the Service Dispatch table. This was used to infect machines running Windows 7 and Windows Server 2008,
  2. EternalRomance – also leveraged the SMBv1 vulnerability and attacks the Service Dispatch table. This was used to infect machines running Windows XP, Windows Server 2003 and Windows Vista,
  3. PsExec – a tool used by Windows Admins,
  4. WMI – Windows Management Instrumentation, another legitimate Windows tool.

Mechanisms 1 and 2 above are used to drop a modified version of the DoublePulsar malware, a persistent backdoor to a previously infected machine. This techique helps to avoid detection through pattern matching algorithms.

Mechanisms 3 and 4 are used to install perfc.dat on a remote victim using the current user’s credentials.

Attack Phase

Once the target is successfully breached, NotPetya encrypts files on the victim using RSA encryption – without saving the decryption keys. It also cleans out Windows event logs to avoid detection. Next, NotPetya attempts to escalate privileges to Administrator  level using a Windows API.

If NotPetya can successfully escalate privileges, it destructively overwrites the boot sector. If that fails, it checks if the Kaspersky AV product is installed – if so, wiping the first ten sectors of the disk drive. Lastly, the attack causes a system reboot, ensuring maximum damage to the victim’s system.

How ARMAS Helps

Virsec ARMAS provides multi-tiered defense to advanced attacks including NotPetya. The following capabilities each protect application servers from being attacked in real-time:

  1. As the file perfc.dat gets written to disk, the ARMAS File System Monitor (FSM) integrity check will instantly activate and quarantine the file. This prevents perfc.dat or any embedded executables from starting a new process.
  1. As the EternalBlue or EternalRomance vulnerability starts executing and attacks the Service Dispatch table, ARMAS’s Memory Monitor will block any changes to the table..
  1. Blocking execution of the EternalBlue/EternalRomance exploits, also prevents the DoublePulsar malware from being released into the process memory of the victim.
  1. Any attempt to encrypt files on the server will be detected by ARMAS FSM in microseconds and blocked. Any files that may get encrypted can be automatically restored through integrations Virsec provides with Write-Once, Read-Many (WORM) drives.
  1. The ARMAS Process Monitor which monitors contextual use of critical OS APIs will block the attempt to escalate privileges that is required to trash the boot sector.

Conclusion

NotPetya is a highly destructive ransomware attack. Even if a victim pays the ransom (never a good idea), the affected machine cannot be recovered. Most security products dependent on pattern matching, heuristics, machine learning or artificial intelligence (AI) are vulnerable to some or all of these hacking techniques, and they miss memory-based attacks entirely.

However, applications protected by Virsec are not affected not at all by NotPetya or similar advanced attacks. At all phases of the attack, including the initial infiltration (through perfc.dat), to the pivot stage (exploiting vulnerabilities through EternalBlue, DoublePulsar and similar tools), to the attack phase (attempting to encrypt files for ransom), Virsec’s deterministic approach instantaneously detects rogue activities and protects critical systems from damage.

For more information about Virsec ARMAS or a free demonstration, please get in touch.

Share This Story, Choose Your Platform!

Subscribe to Email Updates