There’s a new ransomware family spotted in the wild. Called White Rabbit, the ransomware was noticed by Trend Micro researchers in silent attacks against a US bank in December 2021. It appears that the threat uses a page from the well-known Egregor ransomware, to hide its malicious activity. Researchers believe that White Rabbit is affiliated to the FIN8 APT (Advanced Persistent Threat) group.
Related Read: Lazarus APT Hackers Stole $400M in Cryptocurrency
What’s Interesting about the New White Rabbit Ransomware?
“One of the most notable aspects of White Rabbit’s attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine,” Trend Micro said in a report.
This technique has been used by the Egregor operators to conceal malicious activities from vendor analysis. At first glance, White Rabbit’s file doesn’t attract any attention, with its small size of about 100 KB and no notable strings or activity. What gives away its malicious character is the presence of strings for logging. However, the essential ransomware behavior isn’t easy to observe without the correct password.
Trend Micro’s internal telemetry revealed traces of Cobalt Strike malware commands that might have been utilized to infiltrate the system and drop the encrypting payload. There’s also evidence that the malicious URL connected to the White Rabbit attack is related to FIN8, a well-known APT player.
Lodestone researchers also noticed that the ransomware is using a previously unknown backdoor called Badhatch, also associated with FIN8. However, the researchers were unable to obtain files related to that URL to perform an analysis.
In terms of its routine, White Rabbit acts like a typical ransomware. It also carries out double extortion by threatening its targets to sell or publish their stolen data.
What about White Rabbit Ransomware’s Encryption?
For each encrypted file, the ransomware creates a separate note. Each note has the name of the encrypted file, and is appended with the following extension – .scrypt.txt.
“Prior to the ransomware routine, the malware also terminates several processes and services, particularly antivirus-related ones,” Trend Micro noted.
In conclusion, the researchers believe that the ransomware is still in development. “Despite being in this early stage, however, it is important to highlight that it bears the troublesome characteristics of modern ransomware: It is, after all, highly targeted and uses double extortion methods. As such, it is worth monitoring,” the report said.