Emerging Malware Satana overwrites MBR and user data in 2 pronged attack

A newly emerging strain of malware, which made its first appearance last week, appears to be basing itself on crypto-lockers Petya and Mischa.

Malwarebytes Labs have described the malicious software to be in the stage of “malware-in-development” with expected growth and evolution to occur over the coming weeks as its popularity and use increases.

Similar to Petya and Mischa, Satana – Italian for devil, has two methods of operation; the first works like Petya, initiating a dropper which writes a bootloader with a custom kernel to the start of the disk, the second stage, displays characteristics of Mischa, acting in typical cryptoware fashion by encrypting user’s files, in this case using AES encryption.

Unlike Petya and Mischa, this latest variant employs both methods back to back in order to compromise the systems bootloader then subsequently the user data.

Satana’s installation mode is silent and patiently waits for a system reboot whereupon it displays the ransom note, confirming the compromise and detailing the instructions for decryption. This differs from Petya’s more aggressive forcing of a fake BSOD prompting the user to reboot.

Satana’s ransom note which appears on the first reboot following successful infection

The second stage of operation see’s the malware work its way through the infected system, encrypting users files one by one and leaving a ransom note in each folder, labelled !satana!.txt.

All of the users files are renamed with the hard-coded email address which is to be used in the unlocking process, under the format _.
Targeted file extensions include: .bak .doc .jpg .jpe .txt .tex .dbf .db .xls
.cry .xml .vsd .pdf .csv .bmp .tif .1cd .tax .gif .gbr .png .mdb .mdf .sdf .dwg .dxf .dgn .stl .gho .v2i .3ds .ma .ppt .acc .vpd .odt .ods .rar .zip .7z .cpp .pas .asm

Malwarebytes Labs have reported that the encryption key is randomly generated and sent to Command and Control (C2) Servers along with other info on the infected client machine.

Much of this particular exploit seems unfinished and researchers have speculated that this particular variant has been released into the wild accidentally. Several key features of the analyzed code including the low level attack segments as well as erroneous bitcoin wallet details points to the fact that this may be in a pre-production stage of development.

The expectation is however that we will see a coming evolution of this variant, which seems to employ the most aggressive features of two of the most successful cryptowarez presently available.