1 Background

In early November 2018, NSFOCUS discovered that some of its financial customers had been infected with a worm virus FT.exe that could affect both Linux and Windows platforms. Like the ransomware Satan, the virus spreads itself by exploiting multiple application vulnerabilities. However, this virus, after breaking into the system, does not do anything obviously damaging, but only spreads itself.

At the end of November 2018, a number of financial customers of NSFOCUS were infected with some cross-platform ransomware, which was believed to be a variant of FT.exe with the capability of dropping Monero miners and ransomware. This variant can propagate itself via Linux and Windows platforms like a worm. In addition, it encrypts local files and appends .lucky to their names besides dropping a ransom file with the name of “_How_To_Decrypt_My_File_”.

Up to now, the hacker’s command and control (C&C) servers are still active, bespeaking risks of extensive infections. Users are therefore advised to stay wary and take preventive measures. For the related indicators of compromise (IoCs), see the appendixes.

2 Virus Analysis

2.1 Propagation

The Satan virus family propagates itself by exploiting 10 common vulnerabilities listed below. Our current finding is that Satan scans for these vulnerabilities on the Linux platform by means of internal IP address traversal and port listing, and on the Windows platform by means of IP address and port listing.

• JBoss deserialization vulnerability
• JBoss default configuration vulnerability (CVE-2010-0738)
• Tomcat arbitrary file upload vulnerability (CVE-2017-12615)
• Tomcat web admin console backstage weak password brute-force attack
• WebLogic arbitrary file upload vulnerability (CVE-2018-2894)
• WebLogic WLS component vulnerability (CVE-2017-10271)
• Windows SMB remote code execution vulnerability (MS17-010)
• Apache Struts 2 remote code execution vulnerability (S2-045)
• Apache Struts 2 remote code execution vulnerability (S2-057)
• Spring Data Commons remote code execution vulnerability (CVE-2018-1273)

2.2 Scope of Impact

Linux and Windows

2.3 Recent Version Changes

• 10

The virus of this version, after breaking into the system, does not do anything obviously damaging, but only spreads itself.

• 13

This version adds a ransomware module, which encrypts local files and appends .lucky to their names before dropping the ransom file with the name of “_How_To_Decrypt_My_File_”.

2.4 Virus Behavior

This Satan variant can propagate on both Linux and Windows platforms, thus requiring a separate analysis of its behavior on each platform.

2.4.1 Satan Variant for Linux

2.4.1.1 ft Module

ft32, as the primary module of Satan, is responsible for downloading and executing other modules. After being started, this module checks whether its own file name has the .loop extension and, if not, copies itself to the current directory. At this moment, the ft32 process is terminated and the .loop program is started for subsequent actions.

After being started, the .loop program first downloads mn32/64, conn32/64, and cry32/64 and then saves them to a local disk drive with the respective name of .data, .conn, and .crypt. The related code logic is as follows:

After all other modules are downloaded, the sub_804A52A function is called for subsequent actions.

First, the sample attempts to connect to C&C servers by accessing four IP addresses via HTTP. If an IP address is found to be alive, the sample saves it for subsequent communication. The following code is used to attempt access to 111.90.158.225, 107.179.65.195, and 23.247.83.135 via HTTP. If the </ver> string is obtained through an HTTP request for access to one of the preceding IP addresses, this IP address will be saved as the communication address of a C&C server.

Next, the sample manages to make itself an auto startup item by using the following methods in the sub_8049719 function:

• Modifying the scheduled task file
• Creating the /etc/rc6.d/S20loop service
• Modifying the local file

Finally, the sample uses the following request to craft communication data:

2.4.1.2 conn Module

As an exploit module of the Satan sample, the conn module is compressed with the upx packer and, after decompression, boasts a size of about 4000 KB.

The conn module, after being started, first obtains IP addresses of its own segment and then loads a port list that contains 230 port numbers (see appendix C List of Ports to Be Scanned by the conn Module of Satan for Linux). The module thus completes port scanning by traversing its own segment and listing all related port numbers. See the following figure.

When discovering available IP addresses and ports, the module attempts to trigger the following vulnerabilities:

• JBoss deserialization vulnerability (CVE-2013-4810,CVE-2017-12149)
• JBoss default configuration vulnerability (CVE-2010-0738)
• Tomcat arbitrary file upload vulnerability (CVE-2017-12615)
• Tomcat web admin console backstage weak password brute-force attack
• WebLogic arbitrary file upload vulnerability (CVE-2018-2894)
• WebLogic WLS component vulnerability (CVE-2017-10271)
• Windows SMB remote code execution vulnerability (MS17-010)
• Apache Struts 2 remote code execution vulnerability (S2-045)
• Apache Struts 2 remote code execution vulnerability (S2-057)
• Spring Data Commons remote code execution vulnerability (CVE-2018-1273)

Following is a JSP file uploaded by exploiting the Tomcat arbitrary file upload vulnerability:

Besides the preceding scanning attack against the web middleware, this module attempts cracking passwords to Linux hosts. Four user names are involved in this attack:

Weak passwords used are as follows:

2.4.1.3 cry Module

This module is responsible for encrypting local files. The following figure shows the whitelisted directories, files under which will not be encrypted:

During encryption, the module uploads parameters of the files under encryption to the attacker’s 110.90.158.225 server. Following is an upload request, where xxx indicates data dynamically spliced by the sample at runtime:

2.4.1.4 mn Module

This module is actually an open-source Monero miner dubbed XMRig, whose code is available at https://github.com/xmrig/xmrig. The address configuration information of the Monero miner is as follows:

2.4.2 Satan Variant for Windows

2.4.2.1 fast.exe

fast.exe, as the primary module of Satan, is responsible for downloading conn.exe and srv.exe, and starting the program by using the ShellExecuteA function. For execution of srv.exe, the sample uses the install parameter.

2.4.2.2 cpt.exe

cpt.exe is responsible for encrypting files.

Files with the following extensions in their names will be encrypted:

To ensure that the system works properly, the sample does not encrypt files in the following directories:

Before encryption, the sample notifies C&C servers of the start of encryption and sets the status parameter to begin.

The notification message is as follows:

The sample, after being executed, generates a random string. From this string, it takes the first 32 bytes as the key. Then it uses the AES_ECB algorithm to read every 16 bytes for encryption.

All files are encrypted with the same key. After a file is successfully encrypted, the sample renames the file in the following format: [nmare@cock.li]filename.tRD53kRxhtrAl5ss.lucky. After all files are encrypted, the sample notifies C&C servers of the completion of encryption and sets the status parameter to done.

Upon completion of encryption for all files, the sample packs the AES key used for file encryption with the RSA algorithm and appends it to these files. Generally, users are demanded to pay ransom before getting the AES key for decrypting their files.

2.4.2.3 conn.exe

conn.exe, as the exploit carrier, drops the EternalBlue exploit and the Windows password dump tool mmkt.exe. Then it starts mmkt.exe and blue.exe (EternalBlue exploit), attempting to infect other machines via the MS17-010 vulnerability.

After being executed, conn.exe scans class B IP addresses in the internal segment for port 445, in a bid to exploit the MS17-010 vulnerability. At the same time, it attempts to attack external networks by exploiting vulnerabilities based on the IP address list and port list that it has previously saved.

2.4.2.4 srv.exe

The srv.exe module downloads the encryption component cpt.exe and the Monero miner mn32.exe.

When the two files are executed without parameters, information about the victim host is sent.

The sample updates the srv.exe program and restarts the service:

When the two files are executed with the install or removesrv parameter, the logs service will be installed or uninstalled.

2.4.2.5 mn32.exe

This module is actually an open-source Monero miner dubbed XMRig, whose code is available at https://github.com/xmrig/xmrig. The address configuration information of the Monero miner is as follows:

2.4.3 Exploit Code of the conn Module

• JBoss Deserialization Vulnerability

• JBoss Default Configuration Vulnerability (CVE-2010-0738)

• Tomcat Arbitrary File Upload Vulnerability (CVE-2017-12615)

• Tomcat Web Admin Console Backstage Weak Password Brute-Force Attack

• WebLogic Arbitrary File Upload Vulnerability (CVE-2018-2894)

• WebLogic WLS Component Vulnerability (CVE-2017-10271)

• Windows SMB Remote Code Execution Vulnerability (MS17-010)

• Apache Struts 2 Remote Code Execution Vulnerability (S2-045)

• Apache Struts 2 Remote Code Execution Vulnerability (S2-057)

• Spring Data Commons Remote Code Execution Vulnerability (CVE-2018-1273)

3 Response

3.1 How to Detect the Virus

• Network Layer

Use an egress firewall or a security device of similar functionality to check whether vulnerabilities like the JBoss deserialization vulnerability are being exploited and whether port scanning is underway. Check requests for access to the following IP addresses/domains to find whether other hosts are infected.

• Host Layer

Linux

Use the ps -ef | grep loop and ps -ef | grep conn commands to check whether loop and conn processes are running.

Use the find / -name “.loop”, find / -name “.conn”, and find / -name “.hash” commands to search for .loop, .conn, and .hash files across directories.

Use the crontab -l command to check whether .loop is included in auto startup items.

Check whether there are files whose names contain the .lucky extension.

Check whether there is the /etc/rc6.d/S20loop file.

Windows

Check the C:\ directory for fast.exe or _How_To_Decrypt_My_File_.

Check the C:\Program Files\Common Files\System directory for conn.exe and srv.exe.

Check the C:\user\all users or C:\ProgramData directory for the EternalBlue toolkit.

Check whether blue.exe, fast.exe, star.exe, srv.exe, conn.exe, cpt, and mmkt.exe processes are running in the system.

Check whether an abnormal registry key/value exists to find out the presence of the logs service: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Logs Service.

• Application Layer

Tomcat Service

Log in to the console to check whether any abnormal WAR files exist.

Other services:

As this trojan toolkit incorporates exploits of multiple vulnerabilities in different applications, it is necessary to check the JBoss and WebLogic directories for abnormal WAR files if the two services are available in the system.

3.2 How to Remove the Virus

• Linux

1. Get the machine offline and isolate it from other machines on the same network to avoid a secondary infection during trojan removal.
2. Check crontab and local files and delete startup information of the Satan virus (if any).
3. Use kill -9 pid to terminate .loop, .conn32/64, and .cry32/64
4. Check where the /etc/rc6.d/S20loop directory points and delete the sample program files from this directory, including .loop, .conn32/64, and .cry32/64 before deleting /etc/rc6.d/S20loop.
5. Change the password of the SSH service on the operating system to a strong one.

• Manual Removal of the Trojan from Windows

1. Get the machine offline and isolate it from other machines on the same network to avoid a secondary infection during trojan removal.
2. As the trojan incorporates the weak password scanning capability and the password capture tool mmkt.exe, it is necessary to change the system password to avoid a secondary infection during trojan removal.
3. Terminate exe, fast.exe, star.exe, srv.exe, conn.exe, mmkt.exe, and cpt.exe processes.
4. Delete exe from the C:\ directory.
5. Delete exe, srv.exe, and cpt.exe from C:\Program Files\Common Files\System.
6. Delete the EternalBlue toolkit from C:\user\all users or C:\ProgramData (note the write time to avoid mistakenly deleting normal system files).

1. Delete the registry key/value created by the trojan: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Logs Service.
2. Install the operating system patch specially developed to address the MS17-010 vulnerability (EternalBlue exploit).
3. Change the operating system password to a strong one.

• Removal of the Trojan from Windows via Scripting

(For the script code file, see appendix D Virus Removal Script for Satan for Windows.)

• Tomcat Service

1. Log in to the Tomcat console to delete abnormal WAR files.
2. Identify the jsp, java, and class files corresponding to these abnormal WAR files, search for them across directories, and delete them (if any).
3. Change the console password of the Tomcat service to a strong one.

• Other Services

Patch JBoss and WebLogic and change the console management passwords to strong ones.

3.3 How to Decrypt Files

According to the investigation of NSFOCUS’s security research team, this ransomware relies on the AES algorithm to encrypt files. However, through analysis of the sample code, it is found that the sample has a serious problem of memory space waste and wild pointer, especially in its Windows version. With this deadly defect, the sample fails to remove the original AES key from memory after exiting the system. Therefore, if forensics and analysis can be performed against the physical memory immediately after the sample completes encryption, it is possible to extract the key string from the physical memory to decrypt the encrypted files.

4 Mitigation

4.1 Mitigation Tips

• Upgrade Apache Struts 2 to the latest version that has fixed S2-045, S2-046, and S2-057 vulnerabilities.
• Upgrade JBoss to the latest version that has fixed CVE-2013-4810 and CVE-2010-0738 vulnerabilities.
• Upgrade Tomcat to fix the arbitrary file upload vulnerability (CVE-2017-12615).
• Upgrade WebLogic to fix the arbitrary file upload vulnerability (CVE-2018-2894) and WLS component vulnerability (CVE-2017-10271).
• Patch the operating system to fix the MS17-010 vulnerability or disable the SMB service if it is unnecessary.
• Increase the complexity of host account passwords and set the password change cycle to a short period. Besides, avoid using common passwords or passwords with logical meanings.
• Change the default user name of system administrator to avoid the use of common ones such as admin, administrator, and test.
• Install antivirus software with self-protection to avoid being shut down or terminated by hackers, and keep the virus database up to date.
• Step up training on employee security awareness. Do not open emails from unknown senders or run programs from unidentifiable sources.
• Back up mission-critical business data regularly to avoid issues incurred by data corruption and loss.
• Use VLANs or port isolation to separate different business networks to prevent viruses from spreading across network segments.
• Keep track of vulnerability alerts, for example, by following the official WeChat account of NSFOCUS for security alerts, so as to be able to fix critical vulnerabilities in time.

4.2 Vulnerability Remediation

4.3 Protection with NSFOCUS Products

NSFOCUS Intrusion Prevention System (IPS) can effectively block the spread of this virus. Users of NSFOCUS IPS are advised to update IPS protection rules as soon as possible. The following table lists the mapping between the aforementioned vulnerabilities and IPS rule IDs.

The latest IPS rules can be downloaded from the following link:

NSFOCUS IPS: http://update.nsfocus.com/update/listIps