Blaze’s security blog recently reported that Satan ransomware added the EternalBlue exploit to improve the ransomware’s propagation. You may remember that a year ago (May 2017) the WannaCry ransomware outbreak was the first to use EternalBlue and it successfully compromised hundreds of thousands of computer systems in a matter of hours across the globe.  Since then various malware sets and hacker groups have integrated EternalBlue into their attack strategies (e.g. NotPetya).  

EternalBlue is an allegedly NSA developed tool that was acquired by the group ShadowBrokers.  Shadowbrokers published it (and others) on the global internet making it available to anyone.  This exploit crawls a network looking for open port 445 (Server Message Block) on network devices.  When it finds an open port and determines that it is vulnerable, the exploit executes and EternalBlue drops the malware payload (in this case Satan ransomware). 

Satan ransomware is relatively new.  It was first observed in the wild in January 2017. It was offered on the dark web as “Ransomware as a Service” (RAAS).  This offered any hacker – whether noob or experienced; individual or group – the ability to customize their own version of the Satan ransomware.  All the developer of Satan requires as payment is a 30% commission from any payments victims pay to the hackers. All payments are paid into a Bitcoin account controlled by the developer at which point the 30% commission is extracted and 70% on to the hacker.

While adding EternalBlue to the Satan toolkit significantly increases the speed at which it can propagate and will likely result in significantly more successful compromises, it is highly unlikely that the number of victims will reach anywhere near WannaCry levels.  This is because companies across the globe have applied the patch that prevents successful EternalBlue exploitation. However, there are likely still many systems connected to the internet that are vulnerable.

We can expect that most of the success hackers will have with the EternalBlue exploit will be using it to propagate within an internal enterprise network rather than across the public-facing internet.  This is because some organizations may be more thorough in patching external facing devices while leaving internal facing vulnerable.  Of course, such a strategy requires an initial infection of the enterprise, probably via phishing.

Impact

This development is unlikely to increase the threat Ransomware poses as the use of EternalBlue is already known.  Therefore the impact of the change is minimal.

Mitigation

·        If you have not already, it is critical that you apply patch Microsoft Security Bulletin MS17-010

·        Monitor and detect for known indicators of compromise (see below)

·        Build and apply a Ransomware policy and action plan

·        Ensure your Anti-Virus is up to date

·        Create backups

·        Enable User Account Controls

Sources

·        BartBlaze Blog

·        AlienVault OTX

·        BleepingComputer

·        Microsoft Security Bulletin

Indicators of Compromise:

File Name: STS.exe

·        MD5: 12bc52fd9da66db3e63bfb196ceb9be6

·        SHA1: 4508e3442673c149b31e3fffc29cc95f834975bc

·        SHA256: b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee

·        Compilation timestamp: 2018-04-14 06:33:08

198.55.107[.]149 – Download site

RookIE/1.0 – User Agent

Filename: Client.exe, MD5: 94868520b220d57ec9df605839128c9b, archive that holds Satan ransomware

Filename: ms.exe, MD5: 770ddc649b8784989eed4cee10e8aa04, drops and loads EternalBlue

Filename: down64.dll, MD5: 17f8d5aff617bb729fcc79be322fcb67, executes command launching sts.exe

Filename: Cryptor.exe

Email Address: satan_pro[at]mail.ru

Malware Mutex: SATANAPP

URL’s

·        http://198.55.107[.]149/data/token.php

·        http://198.55.107[.]149/cab/sts.exe

·        http://198.55.107[.]149/cab/setup.exe

·        http://198.55.107[.]149/cab/ms.exe

Additional MD5 Hashes

·        b596cd1000ea359068e742cd97a14238

·        12bc52fd9da66db3e63bfb196ceb9be6

Additional SHA1 Hashes

·        f22883001c7cb8887086d4a22c7e6c122fffceb6

·        592709e469daa27d95caa8edb39a0234250061fc

·        4b67fbb88603fb3de9f7618b12f4a38e1a6aa4e7

·        4508e3442673c149b31e3fffc29cc95f834975bc

·        347a92c23cfda8d34ecd67abe1b0d2588d8ad824

Additional SHA-256 Hashes

·        f857156d9f77c79ba9188e6e981a04bbb8c4e261790401eb0c5977a74f7aad46

·        e6ce36785cf1bc3cda69e2f3e888b880c8fe1b7180f669e8eb0de271c338018d

·        cbc941fc0d11294c4aad097667c102e1c29d208b5e325c84ee4e3899a6b07298

·        b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee

·        41f8ff166ba400a5692a4c709217ce32ddd1739028f3959490112e72cdc96fe1

Contact Us

We're threat hunting! Send us a quick email here and we will get back to you asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search