New Lucky Ransomware Targets Linux Servers !

26/11/2018 16:50:52

Recently, Sangfor has received feedback from a customer in the finance field that Linux servers on the customer’s network were infected by ransomware. Sangfor Security Team discovered that the ransomware encrypts files and appends .lucky to the encrypted files. This is a new variant and spreads in the same way as Satan ransomware and achieves automated propagation in Linux. It is dubbed the Lucky Ransomware by Sangfor Security Team.

1. Lucky Ransomware Encryption File Process
Read the file /tmp/Ssession

Traverse and encrypt system files, and add file extension.lucky

The following files are excluded: 

Encrypted file types are: 

Upload the number of encrypted files, sizes and session: 

Generate file encryption information: 

2. Attack Procedure
ft32 is the virus vector. The modules conn32 and cry32 are responsible for propagation and encryption respectively.
1. The ft32 virus vector replicates itself as .loop and makes it automatically launch at host startup.
2. .loop downloads the modules conn32 and cry32 from C&C server and execute them. 
3. The module cry32 encrypts files and appends .lucky to encrypted files.
4. The module conn32 scans LAN hosts for vulnerabilities and exploits vulnerability to spread the virus vector.

This virus will decide whether to perform installation based on startup parameter argv[1] and then use the program name argv[0] to decide whether it will start itself via LTMP or .loop. No further activities will be performed after startup through LTMP.
Ft32 will be executed directly without any parameters and copied to .loop program. Then, a process is created based on .loop.

After ft32 completes, .loop will create .hash, download malicious programs like .conn, .crypt, LTMP and RTMP, and execute .conn and .crypt (.conn used for propagation and .crypt for file encryption) if the process name is .loop.

In addition to download of malware, .loop will achieve persistency via scheduled task and auto-launch upon host startup.

3. Propagation Module

Similar to Conn and Satan propagating ransomware, on Windows versions, this ransomware exploits the following vulnerabilities: 
1. JBoss deserialization vulnerability (CVE-2013-4810)
2. JBoss default configuration vulnerability (CVE-2010-0738)
3. Tomcat arbitrary file upload vulnerability (CVE-2017-12615)
4. Tomcat web admin console backstage login password brute-force attack. 
5. Weblogic WLS component vulnerability (CVE-2017-10271)
6. Windows (SMB remote code execution vulnerability (MS17-010)
7. Apache (Struts2 remote code execution vulnerability (S2-045)
8. Apache (Struts2 remote code execution vulnerability (S2-057)

It is interesting that we found many text as .exe in the Linux samples, indicating the samples are cross-platform and can be used to perform the same web attacks against Windows. The subsequent analysis shows the finding. 

Core Function

Tomcat Arbitrary File Upload Vulnerability
Against Linux systems, Tomcat uploads the vulnerability to spread the virus file ft32&ft64

Against Windows systems, Tomcat uploads the vulnerability to spread the virus file fast.exe.

Tomcat Web admin Console Backstage Login Password Brute-force Attack

Struts2 Remote Execution Vulnerability S2-045
Malicious commands are executed according to targeted operating system. 

Struts2 Remote Execution Vulnerability S2-057

Weblogic WLS Component Vulnerability

JBoss Default Configuration Vulnerability

SMB Remote Code Execution Vulnerability

4. Solution
1. Isolate the virus-infected host as soon as possible and disable all its connections and network adapters.
2. Disable the SMB port 445 and cut communication between the host and any external network. Sangfor NGAF customer can turn on intrusion prevention and botnet prevention to block the attack. 
3. Find out the attack source, capture data packets and analyze them (with security intelligence software of the sort). 
4. Install the corresponding patches to fix the following vulnerabilities, including, EternalBlue, JBoss deserialization vulnerability (CVE-2013-4810), JBoss default configuration vulnerability (CVE-2010-0738), Tomcat arbitrary file upload vulnerability (CVE-2017-12615), Weblogic WLS component vulnerability (CVE-2017-10271), Apache (Struts2 remote code execution vulnerabilities (S2-045 and S2-057). 

Our Social Networks

Global Service Center: