Sodin Ransomware Exploits Windows Privilege Escalation Bug

  /     /     /  
Publicated : 23/11/2024   Category : security


Sodin Ransomware Exploits Windows Privilege Escalation Bug


Exploitation of CVE-2018-8453 grants attackers the highest level of privileges on a target system.



In a world where ransomware runs rampant, Sodin stands out. The newly discovered malware exploits Windows vulnerability CVE-2018-8453 to elevate privileges — a rarity for ransomware.
Kaspersky Lab researchers have been watching Sodin, also known as Sodinokibi and REvil, since they spotted it in April. Sodin captured their attention because it exploits Windows privilege escalation vulnerability CVE-2018-8453, says senior malware analyst Fedor Sinitsyn.
CVE-2018-8453, also discovered by the Kaspersky Lab team, was under active attack when Microsoft released a
patch
back in October. Researchers saw FruityArmor APT using the vulnerability in a small number of targeted attacks, primarily against victims in the Middle East. The exploit was packaged into a malware installer, which required system privileges to install a payload that would grant the attackers persistent access onto victims machines, they
reported
.
Now researchers have spotted the same vulnerability in Sodin, which they say is a rarity for ransomware. Statistics show detections across Asia, Europe, North America, and Africa, though
they point out
 most are in Asia-Pacific — specifically Taiwan, Hong Kong, and South Korea. Sinitsyn says researchers did not notice a pattern among industries or organizations targeted.
Each Sodin sample has an encrypted configuration block with the settings it needs to work. After launch, it checks the configuration block to verify whether the option to use the exploit is enabled, Sinitsyn explains. If it is, Sodin checks the architecture of the CPU its running on and passes execution to one of the two variants of shellcode contained inside the Trojans body.
The shellcode will then attempt to call a specific sequence of WinAPI functions with malicious crafted arguments in order to trigger the vulnerability, Sinitsyn says. As a result, the running Trojans process gains the highest privileges in the system. The goal here is to make it harder for security solutions to counteract this malware.
Sodin uses a hybrid scheme to encrypt victim files. Its implementation of cryptographic operations is quite sophisticated, he adds. The ransomware employs a combination of asymmetric elliptic curve cryptography and a modern symmetric stream cipher.
Overall, this Trojan leaves the impression that the criminals behind its development know what they are doing, he continues.
Adding to the attackers sophistication is their use of Heavens Gate, a technique that allows the Trojans 32-bit process to execute pieces of 64-bit code. Many debuggers dont support this architecture switch; as a result, its difficult for researchers to analyze the malware. Further, says Sinitsyn, Heavens Gate may impede detection for some security tools or analysis systems.
Heavens Gate has been seen in different types of malware, including coin miners, but this is the first time Kaspersky Lab researchers saw the technique used in a ransomware campaign.
Sodin is designed as ransomware-as-a-service (RaaS), meaning operators can choose the way it spreads, and Sinitsyn anticipates this scheme will allow attackers to continue distributing the ransomware across channels. It is already propagating to vulnerable servers via vulnerable server software as well as to endpoints via malvertising and exploit kits, he says.
Related Content:
The Truth About Your Software Supply Chain
TA505 Group Launches New Targeted Attacks
New MacOS Malware Discovered
Attunity Data Leak Exposes Sensitive Files at Ford, TD Bank
 
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the 
conference
 and 
to register.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Sodin Ransomware Exploits Windows Privilege Escalation Bug