Rewterz Threat Advisory – New Variant of Satan Ransomware

This is an advisory on DBGer Ransomware; a New Variant of Satan Ransomware, which attacks and encrypts the victim’s host and requests a bitcoin payment.

IMPACT:  NORMAL

PUBLISH DATE:  05_-07-2018

OVERVIEW

A new variant of Satan Ransomware was identified as DBGer. It works by dropping Mimikatz, dumping passwords for networked computers. The obtained credentials are then used to access and infect those devices. The malware also drops several EternalBlue files in the victim’s host. EternalBlue is used to scan the local network for computers with outdated SMB services and infects them.

The Satan ransomware also uses other exploits to propagate through networks. The DBGer exploits include:

• JBoss CVE-2017-12149
• Weblogic CVE-2017-10271
• EternalBlue exploit CVE-2017-0143
• Tomcat web application brute forcing
• BACKGROUND INFORMATION:

Satan Ransomware was first discovered by security researchers in January 2017 as a Ransomware-as-a-Service (RaaS), which is now rebranded to the name DBGer Ransomware, as discovered by the MalwareHunter, whose Modus Operandi has also been changed. The new variant DBGer also uses the EternalBlue exploit and incorporates Mimikatz, an open-source password-dumping utility.

Satan Ransomware was identified as using the EternalBlue exploit to spread across compromised environments. This is the same exploit associated with a previous WannaCry Ransomware campaign. In March 2017, Microsoft patched the vulnerability associated with EternalBlue. However, many environments still remain vulnerable to it.

A cyber-attack involving ransomware means that the attacker encrypts the data on the compromised device and then asks for a bitcoin payment as ransom. If the attacked organization does not pay the ransom, the attacker has the monopoly of destroying the data of the compromised device or it may remain encrypted and the user fails to access it.

WORK ANALYSIS

The sample of the variant observed by MalwareHunter was packed with the MPRESS packer as shown below.

Sts.exe initiates the process of spreading across the network by scanning all the systems within the same network segment. Through the following command line, systems vulnerable to SMB EternalBlue exploit will execute the previously dropped library down64.dll.

The down64.dll attempts to load code in the target’s memory, and then downloads sts.exe, using the legitimate Microsoft certutil.exe tool. This is a known download technique described as Remote File Copy – T1105 in Mitre ATT&CK.After infecting other systems in the same network, the sample finally drops Satan Ransomware into C:\Satan.exe file. This executable is also packed with MPRESS as the original sample.

Executing Satan.exe starts the ransomware attack, which first stops the following processes:

The ransomware then proceeds to encrypt the data on the compromised device. After encryption, Satan.exe creates a note in  C:\_How_to_decrypt_files.txt with instructions, and then executes notepad to open the note.

The note contains the instructions to decrypt the system and a contact email address: satan_pro@mail[.]ru, requesting a Bitcoin payment as seen below in a sample of the note:

THREAT INDICATORS

File-Hashes

• 3e3f8570c11dff0b5a0e061eae6bdd66cf9fa01d815658a0589d98873500358d
• 15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13
• b556b5c077e38dcb65d21a707c19618d02e0a65ff3f9887323728ec078660cc3
• 15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9
• 0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887
• 93027b47ef0b6f7d933017320951bbbeef792a8f1bc43b3fe96c2b61f1dc2636
• cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb
• 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
• ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362
• db0831e19a4e3a736ea7498dadc2d6702342f75fd8f7fbae1894ee2e9738c2b4
• aa8adf96fc5a7e249a6a487faaf0ed3e00c40259fdae11d4caf47a24a9d3aaed
• be8eb97d8171b8c91c6bc420346f7a6d2d2f76809a667ade03c990feffadaad5
• 0259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f
• 50f329e034db96ba254328cd1e0f588af6126c341ed92ddf4aeb96bc76835937
• aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3
• cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12
• b7d8fcc3fb533e5e0069e00bc5a68551479e54a990bb1b658e1bd092c0507d68
• b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa
• f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a
• 5f30aa2fe338191b972705412b8043b0a134cdb287d754771fc225f2309e82ee
• cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682

IP Addresses

45.124.132.119

URI paths

/invoker/readonly

/orders.xhtml

/Clist1.jsp

/manager/html

/wls-wsat/CoordinatorPortType

RESOLVE

• Update to the latest software version for your applications, especially those related to CVE-2017-12149, CVE-201710271, and CVE-2017-0143.
• Ensure your organization is running an actively supported operating system that receives security updates.
• Have effective patch management that deploys security updates to endpoints and other critical parts of your infrastructure in a timely manner.
• Run anti-malware software on your system and ensure you regularly receive malware signature updates.
• Do not click on any suspicious pop ups or download files from suspicious websites.
• Ensure anti-virus software is updated with the latest signatures.
• Monitor or block the indicators included in this report.
• Implement a disaster recovery plan that includes backing up and restoring data from devices that are kept offline. Adversaries frequently target backup mechanisms to limit the possibilities a user may be able to restore their files without paying the ransom.

If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.