Pierluigi Paganini May 22, 2019

A variant of the Satan ransomware recently observed includes exploits to its arsenal and targets machines leveraging additional flaws.

Experts at FortiGuard Labs have discovered a new variant of the Satan ransomware that includes new exploits to its portfolio and leverages additional vulnerabilities to infect as many machines as possible.

The Satan ransomware first appeared in the threat landscape in January 2017 when the independent malware research @Xylit0l discovered it. The ransomware belongs to the Gen:Trojan.Heur2.FU family and was offered as a RaaS (Ransomware-as-a-Service).

The Satan ransomware used RSA-2048 and AES-256 cryptography, it appends the names of encrypted files with the “.stn” extension.

Since its discovery, the malware was costantly updated, in one of the campaigns monitored by Fortinet, it utilized a cryptominer as an additional payload to maximize its profits.

The Satan ransomware targets both Linux and Windows machines, it attempts to exploit a large number of vulnerabilities to propagate itself through public and external networks. 

The initial spreader can propagate via both private and public networks. The Windows component there were no specific changes and the ransomware still leverages the NSA EternalBlue exploit. 
In order to target public IPs, the spreader retrieves the list of targets from the C2 server and iterates through all of them. All the attacks observed by Fortinet originated from IP addresses located in China.

“Its initial spreader, conn.exe on Windows and conn32/64 on Linux, is capable of propagating through both private and public networks. In older campaigns, its Linux component (conn32/64) only propagates through non-Class A type private networks. However, it has recently been updated and now supports both private and public network propagation.” reads the analysis published by Fortinet. “For the Windows component (conn.exe), nothing much has really changed, and it even still carries the EternalBlue exploit (from the NSA) and the open-source application Mimikatz.”

The Satan ransomware attempt to exploits a long list of known vulnerabilities, including JBoss default configuration vulnerability (CVE-2010-0738), Tomcat arbitrary file upload vulnerability (CVE-2017-12615), WebLogic arbitrary file upload vulnerability (CVE-2018-2894), WebLogic WLS component vulnerability (CVE-2017-10271), Windows SMB remote code execution vulnerability (MS17-010), and Spring Data Commons remote code execution vulnerability (CVE-2018-1273). 

Both Windows and Linux recent variants observed by the experts include several web application remote code execution exploits. Below the list of new vulnerabilities targeted by the recently discovered varant.

• Spring Data REST Patch Request (CVE-2017-8046)
• ElasticSearch (CVE-2015-1427)
• ThinkPHP 5.X Remote Code Execution (no CVE)

The propagation method implemented performs IP address traversal and attempts to scan and execute its entire list of exploits on every IP address
encountered, along with the corresponding hardcoded port list.

“It performs IP address traversal and attempts to scan and execute its entire list of exploits on every IP address encountered, along with its corresponding hardcoded port list that is described below.” continues the analysis. “To be more efficient, it implements multi-threading, in which separate threads are spawned for every propagation attempt for every targeted IP and port. “

Experts also observed that Satan ransomware attempts to scan some applications, including Drupal, XML-RPC, Adobe, and notifies the server if an application exists, likely for statistic purpose.

“Satan Ransomware is becoming more and more aggressive with its spreading. By expanding the number of vulnerable web services and applications it targets, it increases its chance of finding another victim and generating more profits.” Fortinet concludes. “In addition, Satan Ransomware has also already adopted the Ransomware-as-a-Service scheme, opening it up to use by more threat actors, which means more attacks and more revenue,”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Satan Ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]