Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Juniper Employee , Juniper Employee Juniper Employee
Threat Research
Satan Ransomware used in Multi-Platform Cryptomining and Ransomware Campaign
Mar 31, 2019

 

Satan Ransomware Campaign.png

 

Juniper Threat Labs has been monitoring a campaign that delivered multiple stages of malware to install a cryptocurrency miner and ransomware. On March 16, 2019, we identified a surge in attacks that target an Apache Struts vulnerability to deliver their payload.

pasted image 0.png

The attack appears to come from the following two IP addresses, 87.120.36.165 and 87.120.36.222, with 99 percent of the attacks coming from the former.

 

As any Apache web server can be configured to be accessed on different ports, the attacker essentially tried to deliver the exploit on mostly all ports, with the attack on port 80 being slightly higher.

 

Previous Attacks

We looked back at previous attacks of this campaign and found similar attacks in November and December.


previous_attack.png

During this period, the following IPs were the source of attacks:

  • 204.44.78.61
  • 54.37.196.121
  • 86.106.102.155
  • 111.90.141.97
  • 192.200.208.66
  • 61.155.158.71

 

Exploitation 

Apache Struts Vulnerability

The Apache Struts vulnerability is well known as it is the one exploited in the infamous Equifax breach. There are two Apache Struts RCE vulnerabilities that are actively exploited.

 

CVE-2017-5638

 

This vulnerability allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition or Content-Length HTTP header with a Content-Type header containing a #cmd= string. The attacks are as follows:


exploit1.png

 

CVE-2018-11776

This vulnerability allows remote code execution on Apache Struts 2.


exploit2.png

 

WebShell

Another way of attacking their targets is by uploading a webshell. If a web application is vulnerable to this attack, it allows the attacker to upload any file, which it will access later on.


exploit3.png

 

To trigger the webshell, the attacker will issue an HTTP GET request on the uploaded file.

webshell.png

 

 

Payload

The payload is downloaded from http://111[.]90[.]159.106/d/fast.exe. In turn, this file will download three additional files from the same download server and install them into C:\Program Files\Common Files\System.


payload1.png

 

Cpt.exe (Ransomware)

This file is the Satan ransomware version 5.1. It encrypts files with the following extensions:


file_ext.png

 

After encryption, it displays the following ransom note including the bitcoin wallet address to pay the ransom. However, it does not indicate the amount of bitcoin to pay. This is a first indication that the attacker may not be interested in collecting the ransom.

ransom_note.png

 

Translated to English

ransom_note_eng.png

 

 

Additionally, this malware replaces all the executables in non-critical Windows folders with its own. The replaced executables are not saved anywhere. This will make your installed applications unusable. This is a stronger indication that this is more of a destroyer rather than a ransomware.

replaced_files.png

 

To protect its own files and to ensure that the operating system will still work after infection, it will not replace or encrypt files or folders with the following names in them:

 

whitelist.png

 

Srv.exe (Module Manager)

The function of this file is to continuously update the modules (Ransomware, Miner and Spreader) and make sure that all of its modules are running. It first starts installing itself as a service named “Logs Service”.  

 


service.png

 

It enters into a loop, constantly checking for updates of all the modules and beacons out to its CnC server 111.90.159.106.

 

updater.png

beaconing.png

 

Conn.exe (Spreader)

This is the largest file among the modules and it carries with it the EternalBlue file and Doublepulsar backdoor, including all of its dependencies. Its main function is to spread laterally using the EternalBlue exploit along with the DoublePulsar backdoor to drop and execute down64.dll, which will download and install http://111[.]90[.]159.106/d/fast.exe.

 

spreader_command.png

 

Down64.dll will get loaded into memory and will download and execute fast.exe to start the infection chain all over again.

 

It can also spread using other exploits including the Apache Struts2 exploit and Weblogic exploit.

 

Svchost.exe (XMRig Miner)

 

This XMRig miner joins the mining pool 111.90.159.106.443, which is the same as the download server.


xmr.png

 

Linux Component

The attack also has a Linux version when it identifies that the OS is Linux. The payload downloaded is http://111[.]90[.]159[.]106/d/ft32 or ft64 depending on the system. It installs itself as .loop. To ensure its persistence, it creates a cron job to run itself every five minutes. This file is the equivalent of srv.exe, which downloads and installs all of the other components.

 

Download URL

Install Name

Function

http://111[.]90[.]159[.]106/d/conn32

.conn

Linux Spreader Module (32-bit)

http://111[.]90[.]159[.]106/d/conn64

.conn

Linux Spreader Module (64-bit)

http://111[.]90[.]159[.]106/d/cry32

.crypt

Linux Satan Ransomware (32-bit)

http://111[.]90[.]159[.]106/d/cry64

.crypt

Linux Satan Ransomware (64-bit)

http://111[.]90[.]159[.]106/d/mn32

.data

Linux XMRig Miner(32-bit)

http://111[.]90[.]159[.]106/d/mn64

.data

Linux XMRig Miner(64-bit)

 

 

The spreader module for this case does not include the eternalblue/doublepulsar. Instead, it uses an SSH brute-forcer module with hardcoded credentials.

 

Usernames for the SSH-Bruteforce


brute1.png

 

Passwords:

brute2.png

 

In conclusion, this campaign has a lot of similarities to the bulehero attack, which we blogged about last month pointing to their usage of web application exploits and spreading capability via EternalBlue and DoublePulsar with the payload being a Cryptominer. The difference in this attack is that it includes a ransomware, which appears to be a destructive malware as it replaces all non-critical executables with the ransomware file, which could make most applications on the infected system unusable. It also includes a Linux version for the payload and its modules, which increases its attack surface. Another difference is that bulehero attacks are daily while this campaign appears to be sporadic.

 

Looking at the bitcoin wallet’s activity, it seems the campaign on November 26 may have generated one payment of 0.6 BTC. This is the only transaction into this wallet followed by a withdrawal from the wallet a few days later.

 

Juniper Threat Labs is constantly monitoring for cyberattacks and making sure that we create protection against these attacks.



Juniper Advanced Threat Prevention (JATP) Appliance and Juniper Sky ATP detects the file as follows:


jatp.png

skyatp.png

 

Indicators of Compromise

 

9076abe37b87935759b2b300734e84e488fb7636ec224109dd5bf24713b0d7c9

2023f148ce2d9669c656e7cb678e99eb68397cfbab5ddea1f2f362375cdb6a3c

10ec2b718cdcf914fb19cda90f27c0a8475af4920d265f06cfe8ba4b50329457

b8c903f9d41335d25ac04cc81d3635b6692163bdbead07d81d8178d3484ba9e7

f7a83fb80016e3598147e6fd1d472a5f2af89f7559d46b846e8739416ceb1eb1

bcd7d7696f16c670c12fb9ed5e37b7b5663ca0921f3aa9249f306ca04debe861

fdb335f1d5ddb899b0a9dd316712831417a2eabae0a7370c7830fcaf4f9aa914

52c93e117f8e718002df0048b358284871fc4ec24ab329e162a3b045662f7249

f433f3bcf152539c06839780786fd405d64de3e02e69bb0cc1300fcaaa500536

b1d5b19147748b6f597cffe1bb24e2cc1ed491acef928a95d8f92cc4ff32b116

170abb31fd18cb81b85f89757c44b837499306d8f3be6436e8a41af599d67a57

c87cdf3460fb33374d6bb30765026e77b6ee35a50715890286f99809e5718590

b1d5b19147748b6f597cffe1bb24e2cc1ed491acef928a95d8f92cc4ff32b116

6a5eb4f72b9177e6a353dfa36502521c2d06bcb54a6f61f31c46118922f1a4f6

828d011761c08d233db5eaa95790b288029605039891354b7df3e2a6b9b182a5

15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13

976ca910563e0d458edbf209e9c255f41f368cdf17010f3c247c070901804d80

B1d5b19147748b6f597cffe1bb24e2cc1ed491acef928a95d8f92cc4ff32b116

http://111[.]90[.]159.106/d/fast.exe

http://111[.]90[.]159.106/d/cpt.exe

http://111[.]90[.]159.106/d/srv.exe

http://111[.]90[.]159.106/d/conn.exe

http://111[.]90[.]159.106/d/ft32

http://111[.]90[.]159.106/d/ft64

http://111[.]90[.]159.106/d/cry32

http://111[.]90[.]159.106/d/cry64

http://111[.]90[.]159.106/d/conn64

http://111[.]90[.]159.106/d/conn32

http://111[.]90[.]159.106/d/mn32

http://111[.]90[.]159.106/d/mn64

111.90.159.106





Top Kudoed Members