Trend Micro first detected the ransomware in an attack against a local US bank in December last year. It added that White Rabbit has similar traits to Egregor, an established ransomware family. Read on to learn more about White Rabbit and how you can protect yourself.
White Rabbit Requires Specific Command-line Password
At first glance, White Rabbit is not likely to raise suspicion. It is a small file of around 100 KB. Furthermore, it has no notable strings and doesn’t register much activity either. However, what makes White Rabbit noteworthy is how its ransomware payload binary requires a specific command-line password. This decrypts its internal configuration, after which it proceeds with its ransomware routine. “This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis,” Trend Micro said in its blog post. “The telltale sign of its malicious origin is the presence of strings for logging, but the actual behavior would not be easily observed without the correct password,” it added.
Ransomware Could Have Links to FIN8 APT Group
White Rabbit’s ransomware routine is not novel or complicated. It uses double extortion, which steals data from victims and also threatens to publish it. Interestingly, other security researchers found that the malicious URL connected to White Rabbit is related to the advanced persistent threat (APT) group called FIN8. The group is known for being financially motivated and usually carries out phishing campaigns. Researchers at Lodestone also said White Rabbit uses a version of Badhatch, which is an F5 backdoor that has ties to FIN8. Trend Micro also said, “given that FIN8 is known mostly for its infiltration and reconnaissance tools, the connection could be an indication of how the group is expanding its arsenal to include ransomware.” Unfortunately, Trend Micro could not confirm this association. You can read more about FIN8 and one of their high-profile attacks from last year here.
How to Protect Yourself from White Rabbit
Trend Micro recommends the following steps to organizations to mitigate risks associated with ransomware attacks such as White Rabbit:
Deploying cross-layered detection and response solutions that can anticipate ransomware threats before culmination Creating an attack prevention and recovery playbook to help organizations prepare for different attack scenarios Conducting simulations to identify potential gaps in their security systems
Organizations need to establish security guidelines to protect themselves against such attacks, especially as new and more harmful iterations of malware come to light.”White Rabbit is likely still in its development phase, considering its uncomplicated ransomware routine. Despite being in this early stage, however, it is important to highlight that it bears the troublesome characteristics of modern ransomware,” Trend Micro stated in its blog. If you found this story interesting, we recommend checking out our article that explains everything you need to know about ransomware.