Satan Ransomware employs EternalBlue Exploit Kit



The SonicWall Capture Labs Threat Research Team have received reports of a new variant of the Satan ransomware. The Satan ransomware has been around since early 2017 but it was not until late 2017 that we have seen it adopt the use of the EternalBlue exploit kit. This is the same exploit kit that was and still is being used by ransomware such as WannaCry and BadRabbit and is being employed to penetrate more effectively through internal networks.

Infection Cycle:

Upon infection the trojan encrypts files on the system and prepends [] to the original filename. After infection it displays the following text:

The Trojan drops the following files to the filesystem:

  • %ALLUSERSPROFILE%\client.exe [Detected as GAV: Suspicious#mpress.2 (Trojan)]
  • %ALLUSERSPROFILE%\blue.exe [Detected as GAV: Squida.A_2 (Trojan)]
  • %ALLUSERSPROFILE%\blue.xml
  • %ALLUSERSPROFILE%\cnli-1.dll [Detected as GAV: MalAgent.J_39290 (Trojan)]
  • %ALLUSERSPROFILE%\coli-0.dll [Detected as GAV: Downloader.A_1172 (Trojan)]
  • %ALLUSERSPROFILE%\crli-0.dll [Detected as GAV: MalAgent.J_29735 (Trojan)]
  • %ALLUSERSPROFILE%\dmgd-4.dll [Detected as GAV: Artemis.A_162 (Trojan)]
  • %ALLUSERSPROFILE%\down64.dll
  • %ALLUSERSPROFILE%\exma-1.dll [Detected as GAV: Shadowbrokers.D_5 (Trojan)]
  • %ALLUSERSPROFILE%\libeay32.dll
  • %ALLUSERSPROFILE%\libxml2.dll
  • %ALLUSERSPROFILE%\ms.exe [Detected as GAV: SatanCryptor.RSM_2 (Trojan)]
  • %ALLUSERSPROFILE%\posh-0.dll [Detected as GAV: MalAgent.J_21737 (Trojan)]
  • %ALLUSERSPROFILE%\ssleay32.dll [Detected as GAV: Eqtonex.A_6 (Trojan)]
  • %ALLUSERSPROFILE%\star.exe [Detected as GAV: MalAgent.J_8604 (Trojan)]
  • %ALLUSERSPROFILE%\tibe-2.dll [Detected as GAV: MalAgent.H_9335 (Trojan)]
  • %ALLUSERSPROFILE%\star.xml
  • %ALLUSERSPROFILE%\tucl-1.dll [Detected as GAV: Shadowbrokers.DZ (Trojan)]
  • %ALLUSERSPROFILE%\trfo-2.dll [Detected as GAV: Downloader.A_1169 (Trojan)]
  • %ALLUSERSPROFILE%\tucl-1.dll [Detected as GAV: MalAgent.J_21729 (Trojan)]
  • %ALLUSERSPROFILE%\xdvl-0.dll [Detected as GAV: Eqtonex.A_2 (Trojan)]
  • %ALLUSERSPROFILE%\zlib1.dll [Detected as GAV: MalAgent.J_35104 (Trojan)]

The Trojan reports the infection to a C&C server:

The Trojan downloads and runs ms.exe and setup.exe from the C&C server:

We observed the trojan running blue.exe with its commandline arguments. This is an attempt to spread to other machines on the internal network:

Some configuration strings can be seen in the trojans memory after being unpacked:

The Trojan instructs victims to send 0.3 BTC to 14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo. It seems that some have fallen prey to its scheme:

We reached out to concerning file decryption but did not receive a response.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Satan.RSM (Trojan)
  • GAV: SatanCryptor.RSM_2 (Trojan)
  • GAV: Suspicious#mpress.2 (Trojan)
  • GAV: Squida.A_2 (Trojan)
  • GAV: MalAgent.J_39290 (Trojan)
  • GAV: Downloader.A_1172 (Trojan)
  • GAV: MalAgent.J_29735 (Trojan)
  • GAV: Artemis.A_162 (Trojan)
  • GAV: Shadowbrokers.D_5 (Trojan)
  • GAV: MalAgent.J_21737 (Trojan)
  • GAV: Eqtonex.A_6 (Trojan)
  • GAV: MalAgent.J_8604 (Trojan)
  • GAV: MalAgent.H_9335 (Trojan)
  • GAV: Shadowbrokers.DZ (Trojan)
  • GAV: Downloader.A_1169 (Trojan)
  • GAV: MalAgent.J_21729 (Trojan)
  • GAV: Eqtonex.A_2 (Trojan)
  • GAV: MalAgent.J_35104 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.