Barracuda Research investigation into the email vector of the NotPetya attack

Print Friendly, PDF & Email

NotPetya, or Netya, appeared to be Petya ransomware when the first attack was reported on June 27. Throughout the next few hours, it became clear to the security industry that malware was not the version of Petya that had been observed in 2016. This new attack was termed Petya.A, and is referred to here as NotPetya.

NotPetya was spread through malicious email attachments and compromised MEDocs software. In this blog post we will take you through our investigation into the email threat.

First Indications of Attack:

The first sample of NotPetya ransomware was identified by our systems on June 26, 2017, at 4:30pm PST. We detected and blocked over 3000 copies of this malicious email from multiple source IP addresses, and the impact was seen in over 400 Email Security Gateway customers. Barracuda Real Time System (BRTS) is constantly engaged with tens of thousands of customer environments and it’s able to respond to malicious email attacks in seconds. This is another example of its effectiveness by capturing the sample from the NotPetya attack. Customers who are using Barracuda Email Security Gateway or Email Security Service are always protected with BRTS.

See BRTS and email sample below:

Attack Components:

While BRTS was stopping the spread of this email attack in the early hours, Barracuda ATP layers were actively analyzing from samples.

This diagram illustrates the layered threat protection from Barracuda ATP:

 

Analyzing RTF component in the email threat: 

Screenshot of the ATP analysis report for the RTF file;

 

 

 

Screenshot of our analysis of what the RTF tries to do with downloading of a file with Content-Type: application/hta; 

 

Indicators of Compromise: 

There are several Indicators of Compromise (IoC) that identified this attack.  We observed the following artifacts in this attack: 

• File Name Order-20062017.doc (RTF with CVE-2017-0199), hash Identifier 415FE69BF32634CA98FA07633F4118E1 

• File with SHA256 hash: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

• File with SHA256 hash: 17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd  

External References: 

Barracuda Researchers used multiple references during analysis.  These two are the most prominent in our investigation: 

• A sample file from a third party, which demonstrated the same IoC that we observed in our own sample.  

• Intelligence from the Computer Emergency Response Team of the Ukraine, located here –   http://cert.gov.ua/?p=2641.  Google translation to English here – https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fcert.gov.ua%2F%3Fp%3D2641&edit-text=&act=url   

Source Materials: 

• RTF Hashes:  

MD5: 415FE69BF32634CA98FA07633F4118E1

SHA256: fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206

• Sample file 1:  027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

• Sample file 2:  17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd  

Conclusion:

Petya.A has an email threat vector, which we observed in our protection systems beginning on June 26.  By the time the first attack was reported, we were using our Barracuda Real Time Security and Advanced Threat Protection systems to block the attack from reaching our customers.  Additionally, the ATP layers were collecting more intelligence on the samples collected from the attack. 

Barracuda Research also matched samples, hashes, and Indicators of Compromise to multiple external references that identified this as Petya.A email vector threat.  

Barracuda uses multiple layers of technology and artificial intelligence to provide our security researchers with the best possible samples and data for analysis.  This intelligence and analysis is fed back into our system to protect our customers all over the world.  


Fleming Shi is the Senior Vice President of Technology at Barracuda, where he leads the company’s cloud-enabled microservices technology innovation and integrations across the entire security and data protection portfolio.  Connect with him on LinkedIn here.

Scroll to top
Tweet
Share
Share