New Ransomware incorporates EternalBlue and Mimikatz that enables diffusion through networks


Author :Justin Brunnette

Category: IT News

New Ransomware incorporates EternalBlue and Mimikatz that enables diffusion through networks
Ransomware has gained quite a bit of limelight after the rampage of the WannaCry worm. But with the rise in profitability in using victims browsers for coin-mining operations, ransomware contrivers have been stepping up their game to increase their profitability and contagiousness of their worms. Recent discovery from security researcher MalwareHunter has found that the new version of the Satan ransomware, rebranded as DBGer ransomware, now incorporates the open-source password-dumper Mimikatz.
A bit of background into the Satan ransomware will help explain the evolution and abilities of this new worm. Introduced in January of last year, Satan is a Ransomware-as-a-Service (commonly referred as RaaS) portal that allowed anyone to create their own custom version of the Satan virus. Basically the authors of Satan had a rented it to other criminals who typically dispersed it through email spams. The code started off as nothing too sophisticated but gained a bit of infamy in the hackerworld.
The ransomware bugs have been evolving to quite dangerous levels as we have seen with the WannaCry outbreak. What made WannaCry so potent was it utilization of the EternalBlue exploit. EternalBlue is an exploit developed by the U.S. National Security Agency (NSA) but was leaked by the hacker group Shadow Brokers. This exploit is with how Microsoft Windows OS’s poor handling of custom packets in the Server Message Block (SMB) protocol. WannaCry took advantage of this and spread through networks automatically, encrypted Windows systems and demanded ransom payments in return for decryption of the computer.
It looked like the Satan ransomware crew took note as they used the EternalBlue exploit in November 2017 to scan local networks for outdated SMBs to infect. The Satan ransomware will first infect other computers through the following exploits:
   • JBoss CVE-2017-12149
   • Weblogic CVE-2017-10271
   • Tomcat web application brute forcing
Then a file is placed in the system with a discreet name of “sts.exe”, which may by standing for “Satan spreader.” The file uses PECompact2, allowing it to have a filesize of only 30kb. This functions as a downloader for two additional files, which are both SFX archives. One of the archives has the name “Client.exe” which contains the actual Satan worm while the other archive called “ms.exe” will have the EternalBlue exploit and will start scanning for potential hosts to infect. The following command is used to infect any vulnerable machines:
“cmd /c cd /D C:\Users\Alluse~1\&blue.exe --TargetIp & star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload down64.dll --TargetIp”
The new DBGer ransomware takes this a step farther with the incorporation of the Mimikatz utility which is basically a network password dumping utility. It enables viewing of credentials of a Window’s local security authority subsystem service (lsass) through a sekurlsa modules and plaintext passwords. By this lateral movement features, a hacker only needs to fool one careless employee of a company into opening a seemingly harmless file to gain multiple ransom payments.
The ransomware will show a ransom note with the following text:
“Some files have been encrypted
Please send ( 1 ) bitcoins to my wallet address
If you paid, send the machine code to my email
I will give you the key
If there is no payment within three days,
we will no longer support decryption
If you exceed the payment time, your data will be open to the public download
We support decrypting the test file.
Send three small than 3 MB files to the email address
BTC Wallet : [redacted]
Email: [redacted]
Your HardwareID:”
Security researcher Bart Parys has reported in his blog a more detailed description of how the ransomware works:
He recommends for prevention:
   • Enable UAC
   • Enable Windows Update, and install updates (especially verify if MS17-010 is installed)
   • Install an antivirus, and keep it up-to-date and running
   • Restrict, where possible, access to shares (ACLs)
   • Create backups! (and test them)

Always use caution especially when you are working inside networks.

Original Article: