White Rabbit 🐇 Ransomware

A new ransomware family dubbed White Rabbit has been discovered, this newcomer takes a page from Egregor, a more established ransomware family, in hiding its malicious activity and carries a potential connection to the APT group FIN8.

Thr most notable aspects of White Rabbit’s attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine. This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis.

Advertisements

White Rabbit’s payload is inconspicuous at first glance, being a small file of around 100 KB with no notable strings and seemingly no activity.

The sample that was analyzed used the password or passphrase “KissMe,”. It also shows the arguments accepted by the ransomware, which we surmise as standing for the following:

-p: password/passphrase
-f: file to be encrypted
-l: logfile
-t: malware’s start time

Traces of Cobalt Strike commands that might have been used to reconnoiter, infiltrate, and drop the malicious payload into the affected system.

The malicious URL connected to the attack is also related to the APT group called FIN8. They have likewise noted White Rabbit’s use of a never-before-seen version of Badhatch, an F5 backdoor that is also associated with FIN8.

White Rabbit uses double extortion and threatens its targets that their stolen data will be published or sold, as seen in their ransom note.

The ransomware creates a note for each file it encrypts. Each note bears the name of the encrypted file and is appended with “.scrypt.txt.” Prior to the ransomware routine, the malware also terminate several processes and services, particularly antivirus-related ones. 