BadRabbit evidence is multiplying, like well rabbits, with the latest revelation being the malware used another stolen NSA tool to help it move laterally through networks.
Several research firms have named EternalRomance as the tool BadRabbit used to spread through an organisation once the ransomware was installed in a host computer. When the cyber-attack first sprang up on 24 October there were many reports claiming that EternalBlue, the tool made famous with the Petya/NotPetya attacks that took place earlier this year, was the culprit, but this was quickly disproven by researchers. However, EternalRomance does share at least one similarity with the other attack, each exploits the same Microsoft vulnerability.
“Despite initial reports, we currently have no evidence that the EternalBlue exploit is being leveraged. However, we identified the usage of the EternalRomance exploit to propagate in the network. This exploit takes advantage of a vulnerability described in the Microsoft MS17-010 security bulletin,” Cisco Talos reported.
BadRabbit spread through Russia, Ukraine, Bulgaria and US CERT received some reports of the malware appearing in the United States. The mechanism was a fake Adobe a fake Adobe Flash Player update that appeared up on several Russian news media sites that were used as watering holes. The attacker demanded a 0.05 bitcoin ransom, about £230, but STEALTHbits Technologies told SC Media earlier this week that only three payments related to the attack have been made going to two bitcoin wallets.