Pierluigi Paganini July 07, 2016

A newly emerging strain of malware dubbed Satana, which was first spotted last week, appears to be basing itself on crypto-lockers Petya and Mischa.

Experts from Malwarebytes Labs have described the malicious software to be in the stage of “malware-in-development” with expected growth and evolution to occur over the coming weeks as its popularity and use increases.

Similar to Petya and Mischa, Satana – Italian for devil, has two methods of operation; the first works like Petya, initiating a dropper which writes a bootloader with a custom kernel to the start of the disk, the second stage, displays characteristics of Mischa, acting in a typical cryptoware fashion by encrypting user’s files, in this case using AES.

Unlike Petya and Mischa, this latest variant employs both methods back to back in order to compromise the system bootloader then subsequently the user data.

Satana’s installation mode is silent and patiently waits for a system reboot whereupon it displays the ransom note, confirming the compromise and detailing the instructions for decryption. This differs from Petya’s more aggressive, forcing of a fake BSOD prompting the user to reboot.

Satana’s ransom note which appears on the first reboot following successful infection

The second stage of operation see’s the malware work its way through the infected system, encrypting users files one by one and leaving a ransom note in each folder, labelled !satana!.txt. !satana!.txt.

All of the user’s files are renamed with the hard-coded email address which is to be used in the unlocking process, under the format <email address>_<original file name>.users files are renamed with the hard-coded email address which is to be used in the unlocking process, under the format <email address>_<original file name>.

Targeted file extensions include: .bak .doc .jpg .jpe .txt .tex .dbf .db .xls .doc .jpg .jpe .txt .tex .dbf .db .xls .cry .xml .vsd .pdf .csv .bmp .tif .1cd .tax .gif .gbr .png .mdb .mdf .sdf .dwg .dxf .dgn .stl .gho .v2i .3ds .ma .ppt .acc .vpd .odt .ods .rar .zip .7z .cpp .pas .asm

Malwarebytes Labs has reported that the encryption key is randomly generated and sent to Command and Control (C2) Servers along with other info on the infected client machine.

Much of this particular exploit seems unfinished and researchers have speculated that this particular variant has been released into the wild accidentally. Several key features of the analyzed code, including the low-level attack segments as well as erroneous bitcoin wallet details, points to the fact that this may be in a pre-production stage of development.

The expectation is however that we will see a coming evolution of this variant, which seems to employ the most aggressive features of two of the most successful cryptowarez presently available.

Written by: Steven Boyd

Steven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.

Twitter: @CybrViews

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –Satana, cybercrime)