Since its discovery, the malware was costantly updated, in one of the campaigns monitored by Fortinet, it utilized a cryptominer as an additional payload to maximize its profits.
The Satan ransomware targets both Linux and Windows machines, it attempts to exploit a large number of vulnerabilities to propagate itself through public and external networks.
The initial spreader can propagate via both private and public networks. The Windows component there were no specific changes and the ransomware still leverages the NSA EternalBlue exploit.
In order to target public IPs, the spreader retrieves the list of targets from the C2 server and iterates through all of them. All the attacks observed by Fortinet originated from IP addresses located in China.
“Its initial spreader, conn.exe on Windows and conn32/64 on Linux, is capable of propagating through both private and public networks. In older campaigns, its Linux component (conn32/64) only propagates through non-Class A type private networks. However, it has recently been updated and now supports both private and public network propagation.” reads the analysis published by Fortinet. “For the Windows component (conn.exe), nothing much has really changed, and it even still carries the EternalBlue exploit (from the NSA) and the open-source application Mimikatz.”
The Satan ransomware attempt to exploits a long list of known vulnerabilities, including JBoss default configuration vulnerability (CVE-2010-0738), Tomcat arbitrary file upload vulnerability (CVE-2017-12615), WebLogic arbitrary file upload vulnerability (CVE-2018-2894), WebLogic WLS component vulnerability (CVE-2017-10271), Windows SMB remote code execution vulnerability (MS17-010), and Spring Data Commons remote code execution vulnerability (CVE-2018-1273).
Both Windows and Linux recent variants observed by the experts include several web application remote code execution exploits. Below the list of new vulnerabilities targeted by the recently discovered varant.
The propagation method implemented performs
“It performs IP address traversal and attempts to scan and execute its entire list of exploits on every IP address encountered, along with its corresponding hardcoded port list that is described below.” continues the analysis. “To be more efficient, it implements
Experts also observed that Satan ransomware attempts to scan some applications, including Drupal, XML-RPC, Adobe, and notifies the server if an application exists, likely for statistic purpose.
“Satan Ransomware is becoming more and more aggressive with its spreading. By expanding the number of vulnerable web services and applications it targets, it increases its chance of finding another victim and generating more profits.” Fortinet concludes. “In addition, Satan Ransomware has also already adopted the Ransomware-as-a-Service scheme, opening it up to use by more threat actors, which means more attacks and more revenue,”