5 July 2019

Sodin ransomware exploits former Windows zero-day to elevate its privileges on infected hosts

Sodin ransomware exploits former Windows zero-day to elevate its privileges on infected hosts

A recently discovered Sodin ransomware (also known as Sodinokibi and REvil) is using Windows privilege escalation bug SB2018100920 (CVE-2018-8453) to gain the highest level of privileges on infected systems - which is fairly unusual for ransomware.

The vulnerability in question previously had been used by a state-sponsored hacking group tracked by researchers as FruityArmor since August 2018. Microsoft fixed the flaw in October 2018 Patch Tuesday security updates.

According to researchers from Kaspersky Lab who have been monitoring the Sodin ransomware’s activity since it was first spotted in April 2019, the attacks were observed in Europe, North America and Latin America, although the most victims were located in the Asia-Pacific region: Taiwan, Hong Kong, and South Korea. The ransomware note left on infected PCs demanded $2500 (USD) worth of Bitcoin from each victim.

In a detailed technical analysis Kaspersky explained how the malware functions. Each Sodin sample has a configuration block containing the settings and data required for it to work. After launch, it checks the configuration block to verify whether the option to use the exploit is enabled and if it is, Sodin checks the architecture of the CPU it's running on and passes execution to one of the two variants of shellcode contained inside the trojan's body.

“Sodin uses a hybrid scheme to encrypt victim files. The file contents are encrypted with the Salsa20 symmetric stream algorithm, and the keys for it with an elliptic curve asymmetric algorithm,” reads the analysis.

One of the most interesting findings was the discovery of so called “public skeleton key” in the body of the trojan that served as a backdoor allowing the Sodin’s authors to decrypt files behind the distributors’ back. This finding suggests that ransomware is being distributed via a ransomware-as-a-service (RaaS) business model rather than being directly delivered by the malware’s creators.

Another thing that separates the Sodin ransomware from other ransomware families besides the Windows exploit is the use of the ancient Heaven’s Gate technique to circumvent security solutions like firewalls and antivirus programs. The Heaven's Gate allows the trojan's 32-bit process to execute pieces of 64-bit code. Many debuggers don’t support this technique and that makes more difficult for researchers to analyze the malware.

Back to the list

Latest Posts

“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

While not highly sophisticated, the Panda group is considered one of the most active attackers on today’s cybercriminal scene.
18 September 2019
Emotet botnet returns to action, resumes malspam operations

Emotet botnet returns to action, resumes malspam operations

The new Emotet campaign targeеы Germany, the United Kingdom, Poland, Italy, and the USA.
17 September 2019
Astaroth info stealing trojan uses Facebook, YouTube profiles to avoid detection

Astaroth info stealing trojan uses Facebook, YouTube profiles to avoid detection

The malware uses legitimate services to cover its malicious activity.
16 September 2019