There is nothing remotely new in Petyawrap. I think any decent developer and IT admin could have teamed up and put together something like Petyawrap in a week or two. It used existing vulnerabilities, exploits and tools to pull off what’s looking to be a slow, but very long campaign. Why are we calling it Petyawrap? Mainly because it is significantly different from the malware originally coined Petya, and shouldn’t be confused with it. It’s also being called GoldenEye, Petrwrap, Misha (also related) and the phonetic variations Pnyetya and Nyetya (used by Talos).
Unlike the average enterprise PC, Petyawrap has been designed to be resilient and persistent in the pursuit of its goals. Really, the only part where the designers of Petyawrap messed up is the part where they get paid. This is the kind of malware we consultants or admins could continue running into a year or two from now.
Unless we wake up and start making some common sense changes to systems to disrupt malware. The truth is, malware is fragile and is blind to how we set up our systems and networks. The bad guys are guessing we’ll have 99% of the defaults in place. Unfortunately, they’re right a lot of the time. I’ve counted at least a dozen things we could do to rob Petyawrap of success without disrupting users, applications or workflows.
So far, I’m seeing the usual vitriol and shaming in social media. “These people, still running XP! Why don’t they just patch? Why don’t they get rid of XP/7?”
PetyaWrap don’t care
Petyawrap has been confirmed to work on Windows XP. It runs on Windows 10. It will exploit missing patches. It can also infect fully patched systems. Forget about relying on a particular version of Windows or patch level to protect you from this malware.
InfoSec Community: “If they just patched, this wouldn’t be an issue!”
Ukrainian IT Admins: “The malware literally came in as a patch.”
Two infection vectors have been reported. In the first, Petyawrap was delivered by hijacking the update mechanism within a popular commercial software application. The software application, MeDoc is accounting software and appears to be broadly used within the Ukrainian government, much of which had to disconnect from the Internet for cleanup Tuesday (6/27).
Delivering malware via a software updater is a bit of a holy grail, as it gives the bad guys a trusted delivery system designed to push out new software as fast as possible. So you patched? Good for you, but Petyawrap don’t care. It will infect you through a trusted software vendor.
The other infection vector is said to be email phishing. In this scenario, it used CVE-2017–0199 to execute Powershell via fake office documents. The Powershell downloads and executes the binary malware (the payload).
The ransomware piece attempts to replace the master boot record (MBR). Bad news: you can’t boot without it. Good news: it’s a lot easier to fix than trying to recover encrypted files. That means you don’t get ransomed until the computer restarts. Conveniently, the malware authors thought about that, and create a scheduled job to reboot the system one hour from the initial infection. Killing the scheduled job, or powering off the system will buy a defender some time.
The payload does a good job of disrupting businesses it infects. It does a terrible job of making its authors any money. A single email address and bitcoin wallet were set up to extort victims. Currently, that wallet has a little more than $9000 in it, and will likely never be cashed out by the attackers. Did they ever intend to? I doubt it. Petyawrap don’t care… about getting paid?
Petyawrap has no less than three ways to spread itself to other systems. This is probably the most dangerous part of this thing, and is where you should really pay attention.
The most familiar vector is the same used by Wannacry. Petyawrap will go after that same SMBv1 vulnerability (CVE-2017–0144). However, instead of using ETERNALBLUE copypasta, the authors take the time to rewrite the exploit. To get a list of targets, it will run an ARP scan on the local subnet.
Let’s say you’ve patched, however. Patches were released for both vulnerabilities used by this malware months ago. Petyawrap don’t care — it will just steal your passwords and use admin-approved tools to take over your systems.
Petyawrap will also enumerate all systems in attached domains to use as a list of systems to exploit (the equivalent of net view /domain:companyname for my fellow ‘old folks’ out there), which in most cases, should return a whole lot more systems than an ARP scan. The malware will then attempt to use WMIC (Windows Management Instrumentation Command-line) or the Microsoft SysInternals tool psexec to spread itself to other systems.
Hold on — it needs to authenticate to use WMIC or psexec, right? To acquire credentials, Petyawrap runs LSADump and attempts to use local administrator credentials to infect all adjacent systems. It appears to attempt to do this through the Admin$ share.
Petyawrap started out specifically targeting Ukrainians. As with most breaking stories, a *lot* of misinformation is spread very quickly.
Q: How does it spread?
A: Initial reports pointed to phishing, but the real story is that this story used the update mechanism in a commercial accounting software called MeDoc — one of two accounting packages approved for tax use in the Ukraine.
Q: How much is the ransom?
A: Doesn’t matter, paying it nets you nothing. The email account the attackers were using (firstname.lastname@example.org) was quickly disabled.
Q: Is there a kill switch like Wannacry?
A: No there isn’t, and won’t be. There are ways to mitigate the malware through its behavior, but no single kill switch that neuters all copies of the malware in real time.
Recommendations and mitigations
In most cases, any one of these mitigations or recommendations will stop most malware before they can even get started (including Petyawrap).
- Design systems, especially user-facing systems, to be disposable (easy recovery and resilient data backups). This won’t work for you unless you test backups and recovery plans.
- Disable old functionality, like SMBv1 and administrative (Admin$) shares if you can.
- Don’t let anything execute (including office docs) out of the root %APPDATA%, %TMP% and %TEMP% directories. There are less than a dozen executables in the root of %WINDIR%. Whitelist them. This one recommendation will stop most malware out there!
- Don’t allow executable with broken digital signatures run.
- Use non-standard defaults. Install Windows into something other than c:\Windows.
Monitor for the following ‘red flags’
- Alert on any software that attempts to write to the physical (not logical) disk (Petyawrap attempts to overwrite the MBR)
- Executable file downloads from random websites, like French-Cooking.com. Really? What compiled software is someone going to need from French-Cooking.com at work? Also watch out for downloads from websites that don’t even have domain names.
- Attempts to erase Windows event logs (look for and block commands similar to the following:
- Watch out for new scheduled tasks, especially when new software hasn’t been installed.
- If you don’t typically download software from the Internet via Powershell, don’t allow it. Having a tightly controlled source for software installs/upgrades (think app store) will allow you to disable a whole swath of attack surface. Most malware needs to download a payload from the Internet at some point.
- An RTF or word file with more than 50 bytes per word (calculate using metadata). The office exploit used in this case had a 282.5 bytes per word ratio, when the typical amount is 15–30 per word. Basically, that means there’s a lot of content in that file that isn’t text, and it is probably out to ruin your day.
- Extensions that don’t match file headers or file types. For example, a PE file named dllhost.dat or a Word DOCX file named XLS.