October 3, 2023

A new ransomware family dubbed White Rabbit has been discovered, this newcomer takes a page from Egregor, a more established ransomware family, in hiding its malicious activity and carries a potential connection to the APT group FIN8.

Thr most notable aspects of White Rabbit’s attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine. This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis. 


White Rabbit’s payload is inconspicuous at first glance, being a small file of around 100 KB with no notable strings and seemingly no activity.

The sample that was analyzed used the password or passphrase “KissMe,”. It also shows the arguments accepted by the  ransomware,  which we surmise as standing for the following:

  • -p: password/passphrase
  • -f: file to be encrypted
  • -l: logfile
  • -t: malware’s start time

Traces of Cobalt Strike commands that might have been used to reconnoiter, infiltrate, and drop the malicious payload into the affected system.

The malicious URL connected to the attack is also related to the APT group  called  FIN8.  They have likewise noted White Rabbit’s use of a never-before-seen version of Badhatch, an F5 backdoor that is also associated with FIN8. 

White Rabbit uses double extortion  and threatens its targets that their stolen data will be published or sold, as seen in their ransom note.

The ransomware creates a note for each file it encrypts. Each note bears the name of the encrypted file and is appended with  “.scrypt.txt.”  Prior to the ransomware routine, the malware  also  terminate several processes and services, particularly antivirus-related ones. 


The malware then tries to encrypt files  in  fixed,  removable, and network drives, as well as resources. It also tries to skip the following paths  and directories to avoid crashing the system and destroying its own notes:

  • *.scrypt.txt
  • *.scrypt
  • c:\windows\*
  • *:\sysvol\*
  • *:\netlogon\*
  • c:\filesource\*
  • *.exe
  • *.dll
  • *\desktop.ini
  • *:\windows\*
  • c:\programdata\*
  • *:\programfiles\*
  • *:\program files (x86)\*
  • *:\program files (x64)\*
  • *.lnk
  • *.iso
  • *.msi
  • *.sys
  • *.inf
  • %User Temp%\*
  •  *\thumbs.db

White Rabbit is still in its development phase, considering its uncomplicated ransomware routine. Despite being in this early stage.  Its important to highlight that it bears the troublesome characteristics of modern ransomware: It is, after all, highly targeted and uses double extortion methods.A multilayered defense can help guard against modern ransomware and prevent the success of the evasion tactics they employ.

Indicators of Compromise

  • b0844458aaa2eaf3e0d70a5ce41fc2540b7e46bdc402c798dbdfe12b59ab32c3
  • hxxps://104-168-132-128[.]nip[.]io/cae260

Leave a Reply

%d bloggers like this: