5 July 2019

Sodin ransomware exploits former Windows zero-day to elevate its privileges on infected hosts

Sodin ransomware exploits former Windows zero-day to elevate its privileges on infected hosts

A recently discovered Sodin ransomware (also known as Sodinokibi and REvil) is using Windows privilege escalation bug SB2018100920 (CVE-2018-8453) to gain the highest level of privileges on infected systems - which is fairly unusual for ransomware.

The vulnerability in question previously had been used by a state-sponsored hacking group tracked by researchers as FruityArmor since August 2018. Microsoft fixed the flaw in October 2018 Patch Tuesday security updates.

According to researchers from Kaspersky Lab who have been monitoring the Sodin ransomware’s activity since it was first spotted in April 2019, the attacks were observed in Europe, North America and Latin America, although the most victims were located in the Asia-Pacific region: Taiwan, Hong Kong, and South Korea. The ransomware note left on infected PCs demanded $2500 (USD) worth of Bitcoin from each victim.

In a detailed technical analysis Kaspersky explained how the malware functions. Each Sodin sample has a configuration block containing the settings and data required for it to work. After launch, it checks the configuration block to verify whether the option to use the exploit is enabled and if it is, Sodin checks the architecture of the CPU it's running on and passes execution to one of the two variants of shellcode contained inside the trojan's body.

“Sodin uses a hybrid scheme to encrypt victim files. The file contents are encrypted with the Salsa20 symmetric stream algorithm, and the keys for it with an elliptic curve asymmetric algorithm,” reads the analysis.

One of the most interesting findings was the discovery of so called “public skeleton key” in the body of the trojan that served as a backdoor allowing the Sodin’s authors to decrypt files behind the distributors’ back. This finding suggests that ransomware is being distributed via a ransomware-as-a-service (RaaS) business model rather than being directly delivered by the malware’s creators.

Another thing that separates the Sodin ransomware from other ransomware families besides the Windows exploit is the use of the ancient Heaven’s Gate technique to circumvent security solutions like firewalls and antivirus programs. The Heaven's Gate allows the trojan's 32-bit process to execute pieces of 64-bit code. Many debuggers don’t support this technique and that makes more difficult for researchers to analyze the malware.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019