Since the middle of December 2021, a new ransomware strain seemed to have emerged. Initially, famed ransomware hunter and researcher Michael Gillespie took to Twitter to see if anyone had managed to get a sample of the strain now called White Rabbit, which certainly would have picked up the ears of any Matrix fans despite the bashing the last film received.
Subsequently, both Trend Micro and Lodestone both have published research shedding some light on the ransomware as well as a connection to FIN8, a financially motivated group best known for compromising Point of Sale (POS) devices that have been active since about 2016.
According to Trend Micro, the ransomware has been seen in the wild and has already attacked a US banking institution. It is not known if the banking institution is one of its first victims but malware samples were gathered by Trend Micro following the attack.
Given how new the ransomware is not much is known about it. However, we do have some interesting bits of information that may help network admins defend against infection.
One of White Rabbit’s defining features is that its encryption routine requires the attacker to enter a command line password to activate. Trend Micro researchers noted,
“One of the most notable aspects of White Rabbit’s attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine. This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis…White Rabbit’s payload is inconspicuous at first glance, being a small file of around 100 KB with no notable strings and seemingly no activity. The telltale sign of its malicious origin is the presence of strings for logging, but the actual behavior would not be easily observed without the correct password.”
This technique has not only been seen used in Egregor but in MegaCortex and SamSam as well. Returning to White Rabbit, files that are encrypted are appended with the .scrypt at the end and those deploying the malware are known to use the double extortion tactic of exfiltrating data to later be sold off or leaked if the victim does not pay the ransom within a given period.
Possible Connection to FIN8
From all available research at the time of writing it is not 100% clear how White Rabbit is distributed to machines but some information suggests Cobalt Strike is used.
Trend Micro researchers discovered specific Cobalt Strike beacon commands in samples that might have been used to reconnoiter, infiltrate, and drop the malicious payload into the affected system. Trend Micro researchers also pointed out that,
“Meanwhile, researchers from Lodestone have pointed out that the malicious URL connected to the attack is also related to the APT group called FIN8. They have likewise noted White Rabbit’s use of a never-before-seen version of Badhatch, an F5 backdoor that is also associated with FIN8. Unfortunately, at the time of the analysis, files from the said URL were no longer available.”
In 2021, two newer versions of BadHatch, also tracked as Sardonic, were discovered being deployed by FIN8 in separate campaigns. This latest version, discovered by Lodestone has been called F5. As mentioned above, F5 has been discovered in samples of White Rabbit Lodestone acquired that seems to have dated back to August 2021.
Further, the discovery was linked to known URLs used by FIN8. This suggests that White Rabbit has a strong connection to the financially motivated threat group. Lodestone researchers concluded that,
“At the time of writing, the earliest evidence of compromise Lodestone has observed in its investigations was a PowerShell script that executed on July 10, 2021. An analysis of PowerShell script artifacts revealed script blocks that matched those described in a July 27, 2021, Bitdefender article on FIN8. Additional White Rabbit activity Lodestone observed occurred on December 11, 2021; while the PowerShell artifacts from this most recent event were similar to those associated with activity from August 30, 2021, these were not an exact match…The exact relationship between the White Rabbit group and FIN8 is currently unknown. However, Lodestone identified a number of TTPs suggesting that White Rabbit, if operating independently of FIN8, has a close relationship with the more established threat group or is mimicking them.”
Trend Micro researchers are under the opinion that White Rabbit is still under development but given the samples analyzed and the possible connection to FIN8 White Rabbit is certainly an emerging threat that requires close monitoring.
Since 2016 FIN8 has proved incredibly capable of successfully targeting multiple industries, be they financial institutions, hotels, restaurants, and POS devices installed in fuel stations.
Their move to ransomware should be monitored closely as known financially motivated threat groups have seen the profits ransomware can bring in and with Ransomware-as-a-Service ransomware gangs packing up shop a vacuum has been left for experienced smaller groups to fill.
These groups are often harder to trace given their close-knit nature and high levels of experience.