Satan Ransomware used in Multi-Platform Cryptomining and Ransomware Campaign
Mar 31, 2019
Juniper Threat Labs has been monitoring a campaign that delivered multiple stages of malware to install a cryptocurrency miner and ransomware. On March 16, 2019, we identified a surge in attacks that target an Apache Struts vulnerability to deliver their payload.
The attack appears to come from the following two IP addresses, 18.104.22.168 and 22.214.171.124, with 99 percent of the attacks coming from the former.
As any Apache web server can be configured to be accessed on different ports, the attacker essentially tried to deliver the exploit on mostly all ports, with the attack on port 80 being slightly higher.
We looked back at previous attacks of this campaign and found similar attacks in November and December.
During this period, the following IPs were the source of attacks:
Apache Struts Vulnerability
The Apache Struts vulnerability is well known as it is the one exploited in the infamous Equifax breach. There are two Apache Struts RCE vulnerabilities that are actively exploited.
This vulnerability allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition or Content-Length HTTP header with a Content-Type header containing a #cmd= string. The attacks are as follows:
This vulnerability allows remote code execution on Apache Struts 2.
Another way of attacking their targets is by uploading a webshell. If a web application is vulnerable to this attack, it allows the attacker to upload any file, which it will access later on.
To trigger the webshell, the attacker will issue an HTTP GET request on the uploaded file.
The payload is downloaded from http://111[.]90[.]159.106/d/fast.exe. In turn, this file will download three additional files from the same download server and install them into C:\Program Files\Common Files\System.
This file is the Satan ransomware version 5.1. It encrypts files with the following extensions:
After encryption, it displays the following ransom note including the bitcoin wallet address to pay the ransom. However, it does not indicate the amount of bitcoin to pay. This is a first indication that the attacker may not be interested in collecting the ransom.
Translated to English
Additionally, this malware replaces all the executables in non-critical Windows folders with its own. The replaced executables are not saved anywhere. This will make your installed applications unusable. This is a stronger indication that this is more of a destroyer rather than a ransomware.
To protect its own files and to ensure that the operating system will still work after infection, it will not replace or encrypt files or folders with the following names in them:
Srv.exe (Module Manager)
The function of this file is to continuously update the modules (Ransomware, Miner and Spreader) and make sure that all of its modules are running. It first starts installing itself as a service named “Logs Service”.
It enters into a loop, constantly checking for updates of all the modules and beacons out to its CnC server 126.96.36.199.
This is the largest file among the modules and it carries with it the EternalBlue file and Doublepulsar backdoor, including all of its dependencies. Its main function is to spread laterally using the EternalBlue exploit along with the DoublePulsar backdoor to drop and execute down64.dll, which will download and install http://111[.]90[.]159.106/d/fast.exe.
Down64.dll will get loaded into memory and will download and execute fast.exe to start the infection chain all over again.
It can also spread using other exploits including the Apache Struts2 exploit and Weblogic exploit.
Svchost.exe (XMRig Miner)
This XMRig miner joins the mining pool 188.8.131.52.443, which is the same as the download server.
The attack also has a Linux version when it identifies that the OS is Linux. The payload downloaded is http://111[.]90[.]159[.]106/d/ft32 or ft64 depending on the system. It installs itself as .loop. To ensure its persistence, it creates a cron job to run itself every five minutes. This file is the equivalent of srv.exe, which downloads and installs all of the other components.
Linux Spreader Module (32-bit)
Linux Spreader Module (64-bit)
Linux Satan Ransomware (32-bit)
Linux Satan Ransomware (64-bit)
Linux XMRig Miner(32-bit)
Linux XMRig Miner(64-bit)
The spreader module for this case does not include the eternalblue/doublepulsar. Instead, it uses an SSH brute-forcer module with hardcoded credentials.
Usernames for the SSH-Bruteforce
In conclusion, this campaign has a lot of similarities to the bulehero attack, which we blogged about last month pointing to their usage of web application exploits and spreading capability via EternalBlue and DoublePulsar with the payload being a Cryptominer. The difference in this attack is that it includes a ransomware, which appears to be a destructive malware as it replaces all non-critical executables with the ransomware file, which could make most applications on the infected system unusable. It also includes a Linux version for the payload and its modules, which increases its attack surface. Another difference is that bulehero attacks are daily while this campaign appears to be sporadic.
Looking at the bitcoin wallet’s activity, it seems the campaign on November 26 may have generated one payment of 0.6 BTC. This is the only transaction into this wallet followed by a withdrawal from the wallet a few days later.
Juniper Threat Labs is constantly monitoring for cyberattacks and making sure that we create protection against these attacks.
Juniper Advanced Threat Prevention (JATP) Appliance and Juniper Sky ATP detects the file as follows: