NotPetya Technical Analysis
NotPetya (or “Nyetna” as it has also been named) spreads to other systems on the network without use of the ETERNALBLUE/ETERNALROMANCE SMBv1 exploits. (Although the code contains the ability to spread by this exploit as well, so patching is still imperative).
The malware harvests SMB and user credentials from the infected host and uses those credentials to connect to other systems on the network, propagating the malware. Therefore, it potentially only takes one infected machine in an organization to take down all systems in the network. In this post, we will go more into depth on the functionality and destructive capabilities of NotPetya.
Disk Destruction – NotPetya Technical Analysis
Although initially labeled as ransomware due to the ransom message that is displayed after infection, it appears now that NotPetya functions more as a destructive wiper-like tool than actual ransomware.
Initially, analysis showed many similarities with Petya ransomware samples from 2016, but further research indicated the malware had been modified to cause data destruction. NotPetya overwrites sectors of the physical hard drive and C: volume, but does not contain the ability to restore the files, rendering recovery impossible even if the ransom is paid.
Using the Windows API DeviceIoControl, the malware is able to obtain direct read and write access to the physical hard drive, without interaction with the operating system (provided it has the proper administrative permissions).
This allows the code to determine the number of disks and partitions on the system, unmount a mounted volume (even if in use), and determine the drive geometry for the drives on the system (i.e., the number of sectors, bytes per sector, etc.). The malware uses this access to destroy data critical to the operating system. NotPetya also has the ability to replace the OS bootloader with custom code embedded in the binary.
NotPetya “Vaccine” or “Kill Switch” – NotPetya Technical Analysis
NotPetya contains a check upon initial execution that attempts to determine whether the victim system has already been infected. It has been stated that creating a file named “perfc” or “perfc.dat” in the root of the hard drive will cause the malware to halt execution, touting this as a “vaccine” or “kill switch” to prevent the spread of the malware.
However, while the original name of the file was “perfc.dat” and so this check will work successfully to prevent execution of this variant, a simple file name change will render this protection useless.
NotPetya Analysis and Techniques
The analyzed samples of NotPetya are 32-bit Windows DLLs with an original file name of “perfc.dat.” Although the initial infection vector has not been confirmed, there is evidence that the updater process of the Ukrainian tax software MEDoc was responsible for execution of some of the initial infections.
As noted before, although the malware can utilize the SMBv1 exploit to spread to unpatched machines, it also contains other propagation techniques capable of infecting even patched machines. This is critical to note, as means that just one infected system on a network can spread across the enterprise. The methods of propagation discussed below are as follows:
Exploitation of machines vulnerable to the ETERNALBLUE/ETERNALROMANCE SMVv1 exploit
Using harvested credentials from the victim system to infect systems on the network by logging into SMB (any version) shares on the remote system
Unlike Windows executables, DLLs such as the NotPetya sample contain “export functions” that are called by external programs to execute functionality. These export functions are contained in a table within the DLL that lists the functions by name and “ordinal” number.
DLLs have a default export function, but in the case of perfc.dat, a call to this function will not execute the malware. Instead, the perfc.1 function must be called by ordinal rather than name, as seen below. Malware often employs this technique to hinder analysis efforts.
Upon initial execution, perfc.dat performs a check for the following privileges of the running process.
The malware sets a global flag that indicates which of these privileges are owned by the process. The privileges granted determine the path of code execution as it relates to the propagation, encryption, and wiping methodologies employed.
After checking for privileges, the malware then enumerates all running processes on the victim, looking for three specific antivirus products: Kaspersky, Symantec, and Norton Security. The executable names are encrypted using a custom XOR algorithm.
The result of this check determines the execution path of the malware during propagation to remote systems. The results from both the privilege check and the AV check are stored in bitmasked global variables for reference throughout the program. The flags indicating whether Kaspersky, Symantec, or Norton are running.
After this flag value is set, the malware can determine which antivirus is installed by performing a bitwise AND operation on the flag with a constant. This method of “bitmasking” allows the malware to store multiple values in a single variable. For more information on this technique and how it is used by NotPetya, see the “Bitmasking” section at the end of this post.
The malware then checks privileges and performs the following if SeDebugPrivilege is granted:
- Checks for the existence of “perfc.dat” on the system
If the file exists, the malware exists (see “NotPetya Vaccine or Kill Switch” section above)
If not, the malware copies itself onto the victim’s hard drive
- Opens a handle to the raw logical volume \.\C:
- Retrieves the drive geometry (bytes per sector, number of sectors, etc.)
- Overwrites sectors at the beginning of the volume
- Checks to see if Kaspersky flag is set and attempts to overwrite the MBR with a custom bootloader. If Kaspersky is not running and the MBR overwrite fails, the malware obtains a handle to the first physical drive (\.\PhysicalDrive0) and again retrieves the geometry.
- It then forcibly dismounts the volume and overwrites sectors on the drive
After the above actions have been attempted, NotPetya creates a task to perform a shutdown after a calculated amount of time
If the process has all three privileges described above and the OS version is Vista/2008/7 or greater, a scheduled task will be created and configured to run under the “SYSTEM” account
If the system is running an older version of Windows (such as XP), the malware uses the built-in “AT” command to schedule the shutdown
Depending on the system architecture, either the 32- or 64-bit version of the credential harvester is inflated and written to a pseudo-randomly named file in %TEMP%. NotPetya then creates a named pipe and executes the temp file, using the pipe to retrieve credentials from the harvester. These credential harvester binaries have been reported as modified versions of the tool “mimikatz,” although this has not been verified as of the time this report was written.
Students or Professionals engaged in cyber security, can use the below links to be updated on Security related issues