Sodin Ransomware Exploits Windows Privilege Escalation Bug

Exploitation of CVE-2018-8453 grants attackers the highest level of privileges on a target system.

In a world where ransomware runs rampant, Sodin stands out. The newly discovered malware exploits Windows vulnerability CVE-2018-8453 to elevate privileges — a rarity for ransomware.
Kaspersky Lab researchers have been watching Sodin, also known as Sodinokibi and REvil, since they spotted it in April. Sodin captured their attention because it exploits Windows privilege escalation vulnerability CVE-2018-8453, says senior malware analyst Fedor Sinitsyn.
CVE-2018-8453, also discovered by the Kaspersky Lab team, was under active attack when Microsoft released a
patch
back in October. Researchers saw FruityArmor APT using the vulnerability in a small number of targeted attacks, primarily against victims in the Middle East. The exploit was packaged into a malware installer, which required system privileges to install a payload that would grant the attackers persistent access onto victims machines, they
reported
.
Now researchers have spotted the same vulnerability in Sodin, which they say is a rarity for ransomware. Statistics show detections across Asia, Europe, North America, and Africa, though
they point out
most are in Asia-Pacific — specifically Taiwan, Hong Kong, and South Korea. Sinitsyn says researchers did not notice a pattern among industries or organizations targeted.
Each Sodin sample has an encrypted configuration block with the settings it needs to work. After launch, it checks the configuration block to verify whether the option to use the exploit is enabled, Sinitsyn explains. If it is, Sodin checks the architecture of the CPU its running on and passes execution to one of the two variants of shellcode contained inside the Trojans body.
The shellcode will then attempt to call a specific sequence of WinAPI functions with malicious crafted arguments in order to trigger the vulnerability, Sinitsyn says. As a result, the running Trojans process gains the highest privileges in the system. The goal here is to make it harder for security solutions to counteract this malware.
Sodin uses a hybrid scheme to encrypt victim files. Its implementation of cryptographic operations is quite sophisticated, he adds. The ransomware employs a combination of asymmetric elliptic curve cryptography and a modern symmetric stream cipher.
Overall, this Trojan leaves the impression that the criminals behind its development know what they are doing, he continues.
Adding to the attackers sophistication is their use of Heavens Gate, a technique that allows the Trojans 32-bit process to execute pieces of 64-bit code. Many debuggers dont support this architecture switch; as a result, its difficult for researchers to analyze the malware. Further, says Sinitsyn, Heavens Gate may impede detection for some security tools or analysis systems.
Heavens Gate has been seen in different types of malware, including coin miners, but this is the first time Kaspersky Lab researchers saw the technique used in a ransomware campaign.
Sodin is designed as ransomware-as-a-service (RaaS), meaning operators can choose the way it spreads, and Sinitsyn anticipates this scheme will allow attackers to continue distributing the ransomware across channels. It is already propagating to vulnerable servers via vulnerable server software as well as to endpoints via malvertising and exploit kits, he says.
Related Content:
The Truth About Your Software Supply Chain
TA505 Group Launches New Targeted Attacks
New MacOS Malware Discovered
Attunity Data Leak Exposes Sensitive Files at Ford, TD Bank

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the
conference
and
to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Sodin Ransomware Exploits Windows Privilege Escalation Bug