Show vulnerabilities with patch / with exploit
5 July 2019

Sodin ransomware exploits former Windows zero-day to elevate its privileges on infected hosts


Sodin ransomware exploits former Windows zero-day to elevate its privileges on infected hosts

A recently discovered Sodin ransomware (also known as Sodinokibi and REvil) is using Windows privilege escalation bug SB2018100920 (CVE-2018-8453) to gain the highest level of privileges on infected systems - which is fairly unusual for ransomware.

The vulnerability in question previously had been used by a state-sponsored hacking group tracked by researchers as FruityArmor since August 2018. Microsoft fixed the flaw in October 2018 Patch Tuesday security updates.

According to researchers from Kaspersky Lab who have been monitoring the Sodin ransomware’s activity since it was first spotted in April 2019, the attacks were observed in Europe, North America and Latin America, although the most victims were located in the Asia-Pacific region: Taiwan, Hong Kong, and South Korea. The ransomware note left on infected PCs demanded $2500 (USD) worth of Bitcoin from each victim.

In a detailed technical analysis Kaspersky explained how the malware functions. Each Sodin sample has a configuration block containing the settings and data required for it to work. After launch, it checks the configuration block to verify whether the option to use the exploit is enabled and if it is, Sodin checks the architecture of the CPU it's running on and passes execution to one of the two variants of shellcode contained inside the trojan's body.

“Sodin uses a hybrid scheme to encrypt victim files. The file contents are encrypted with the Salsa20 symmetric stream algorithm, and the keys for it with an elliptic curve asymmetric algorithm,” reads the analysis.

One of the most interesting findings was the discovery of so called “public skeleton key” in the body of the trojan that served as a backdoor allowing the Sodin’s authors to decrypt files behind the distributors’ back. This finding suggests that ransomware is being distributed via a ransomware-as-a-service (RaaS) business model rather than being directly delivered by the malware’s creators.

Another thing that separates the Sodin ransomware from other ransomware families besides the Windows exploit is the use of the ancient Heaven’s Gate technique to circumvent security solutions like firewalls and antivirus programs. The Heaven's Gate allows the trojan's 32-bit process to execute pieces of 64-bit code. Many debuggers don’t support this technique and that makes more difficult for researchers to analyze the malware.

Back to the list

Latest Posts

REvil operators leak data stolen from UK electrical middleman Elexon

REvil operators leak data stolen from UK electrical middleman Elexon

The exposed data includes highly sensitive and confidential files.
2 June 2020
VMware Cloud Director flaw could allow to hijack corporate servers

VMware Cloud Director flaw could allow to hijack corporate servers

Successful exploitation could allow an attacker to view content of the internal system database, modify the system database, escalate privileges and tamper with login setups to steal credentials.
2 June 2020
Hacker leaks database of the largest hosting provider on the dark web

Hacker leaks database of the largest hosting provider on the dark web

The database was stolen in a hack earlier this year.
2 June 2020