White Rabbit Ransomware
Back in December, right before the end of 2021, a new ransomware family emerged on the cybercrime landscape in an attack against a US bank. Discovered by the researchers at Trend Micro and tacked as White Rabbit ransomware, the threat displays multiple fully-implement characteristics of modern malware of this type. While White Rabbit's encryption routine is fairly uncomplicated, it shows an increased focus on masking its intrusive actions. It should be noted that certain details show a connection between White Rabbit and the APT group known as FIN8.
Table of Contents
White Rabbit Details
After analyzing the attack, the infosec experts noticed signs that White Rabbit was deployed to the targeted systems through the use of Cobalt Strike, a legitimate penetration-testing tool that finds itself a part of malicious attacks quite often due to its extensive features. The actual White Rabbit payload binary is a rather small file, around 100KB, that doesn't show any noticeable strings or activity.
To unlock its destructive capabilities, White Rabbit requires a specific command-line password. Afterward, the threat can decrypt its internal configuration and start executing its encryption routine. This is not the first time this particular technique has been used by a ransomware threat, previously the Egregor ransomware family utilized it to hide its malicious actions.
Encryption Process and Demands
White Rabbit targets a wide range of file types and creates a text file with an identical ransom note message for each locked file. The names of the text files are a combination of the name of the related file appended with '.scrypt.txt.' To ensure that its encryption process is not impeded, the threat is capable of terminating specific processes and services, such as ones belonging to anti-malware products. White Rabbit also tries to avoid causing any system crashes or critical errors by skipping the files in important paths and directories. Some examples include \desktop.ini, c:\programdata\, :\windows\, %User Temp%\, :\programfiles\, and more.
The ransom note shows that White Rabbit is running a double-extortion scheme. Before the files have been locked, the hackers claim to have successfully stolen crucial private data. Victims are given 4 days to establish contact with the cybercriminals or the stolen information will be released to the public or offered for sale to competing organizations. The necessary decryption key will also be deleted, rendering the restoration of all locked files impossible.
Connection to FIN8
The FIN8 APT group is primarily involved in cyberespionage, infiltration, and reconnaissance operations. There are certain details that link the group to the White Rabbit ransomware threat. As stated by the researchers from Lodestone, the malicious URL seen as part of the White Rabbit attack has previously been related to the FIN8 group. In addition, their findings show that White Rabbit is using a version of Badhatch, a backdoor considered to be part of FIN8's arsenal of malicious tools. If the connections between White Rabbit and FIN8 are accidental or the group is actually expanding its activities and entering the ransomware scene remains to be seen.
