Satan ransomware evolves to add three new exploits to its source code

• The new Satan variant implements IP address traversal and multi-threading technique for an effective propagation.
• Depending on the targeted port, the malware variant implements EternalBlue exploit, Mimikatz, an SSH Brute-Force attack or other web exploits for propagation.

A new variant of Satan ransomware has been found leveraging three new vulnerabilities to spread across public and private networks. The malware authors have expanded the codebase of the ransomware in order to add exploits for the Spring Web application framework, the Elasticsearch engine, and ThinkPHP Web application framework.

What is new about Satan’s latest variant?

According to a report from Fortinet, the new Satan ransomware variant carries leverages the EternalBlue exploit and the open-source application Mimikatz for propagation into both private and public networks.

Some of the vulnerabilities that the new strain targets include:

• JBoss default configuration vulnerability (CVE-2010-0738)
• Tomcat arbitrary file upload vulnerability (CVE-2017-12615)
• WebLogic arbitrary file upload vulnerability (CVE-2018-2894)
• WebLogic WLS component vulnerability (CVE-2017-10271)
• Windows SMB remote code execution vulnerability (MS17-010)
• Spring Data Commons remote code execution vulnerability (CVE-2018-1273)

Worth noting

In addition to the above-mentioned vulnerabilities, the updated malware variant has added exploit code to abuse three new vulnerabilities. The new vulnerabilities targeted by this strain are:

• Spring Data REST Patch Request (CVE-2017-8046)
• ElasticSearch (CVE-2015-1427)
• ThinkPHP 5.X Remote Code Execution (no CVE assigned)

How does it spread?

According to researchers, the new Satan variant implements IP address traversal and multi-threading technique for an effective propagation.

“It performs IP address traversal and attempts to scan and execute its entire list of exploits on every IP address encountered, along with its corresponding hardcoded port list that is described below. To be more efficient, it implements multi-threading, in which separate threads are spawned for every propagation attempt for every targeted IP and port,” Fortinet researchers said in a blog post.

Depending on the targeted port, the malware variant implements EternalBlue exploit, Mimikatz, an SSH Brute-Force attack or other web exploits for propagation.

“For the Windows component, if the port number is 445 (SMB/CIFS), it performs the EternalBlue exploit. If the port number is 22 (SSH), it performs SSH credential brute forcing using a hardcoded list of usernames and passwords. If the port number is not on the aforementioned ports, it attempts to execute its web application exploits,” researchers explained.

The bottom line

By expanding its targets - that includes a number of vulnerable web services and applications - the Satan ransomware has increased its chance infecting more victims and generating more profits.

The ransomware has also been upgraded to Ransomware-as-a-Service, indicating that it can be used by many threat actors to launch more attacks in the future.