Sodin ransomware reemerges to gain privileges via Windows flaw

News by Rene Millman

The Sodin ransomware has reemerged recently, using a flaw in a Win32k component to elevate its privileges and infect systems, having moved on from exploiting Oracle Weblogic

The Sodin ransomware has remerged recently, using a flaw in Windows to elevate its privileges and infect systems.
The malware  (also known as Sodinokibi and REvil) first appeared earlier this year and used an Oracle Weblogic vulnerability to distribute itself. 
According to researchers at Kaspersky, most victims were located in the Asia-Pacific region: Taiwan, Hong Kong, and South Korea.
The latest variant escalates privileges using a vulnerability in win32k.sys. The vulnerability was assigned the number CVE-2018-8453. After the exploit is executed, the Trojan acquires the highest level of privileges.
The code in the malware stores in encrypted form a configuration block containing the settings and data required for the Trojan to work. This code includes fields for the distributor public key, ID numbers for the campaign and the distributor, for overwriting data, file extensions that should not be encrypted, names of processes to be terminated, a ransom note template, and one field to use an exploit to gain higher privileges.
The malware also uses a hybrid scheme to encrypt victim files. The file contents are encrypted with the Salsa20 symmetric stream algorithm, and the keys for it with an elliptic curve asymmetric algorithm. 
"When launched, the Trojan generates a new pair of elliptic curve session keys; the public key of this pair is saved in the registry under the name pk_key, while the private key is encrypted using the ECIES algorithm with the sub_key key and stored in the registry under the name sk_key," said researchers.
Researchers added that it would appear that the developers built a loophole into the algorithm "allowing them to decrypt files behind the distributors’ back".
The encrypted files receive a new arbitrary extension (the same for each infection case), the ransom note is saved next to them, and the malware-generated wallpaper is set on the desktop, said researchers.
 
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that patching new exploits is a continual game of cat-and-mouse. Just as malware operators, in particular malware-as-a-service providers, will reuse and add functionality to their code. 
"Therefore, in most cases, even if a company can keep up-to-date with all its patches, it is no guarantee it will safeguard it from all threats. And while some threats make their way through software vulnerabilities, in many cases, companies are exploited through social engineering techniques such as phishing. So, having a well-trained and aware workforce is essential in that regard to minimise the risk of malware successfully executing and crippling the IT systems," he said.
Dan Pitman, principal security architect at Alert Logic, told SC Media UK that it’s unusual for threats to systems to be simple, attackers usually have to work through multiple steps and use multiple vulnerabilities to exploit systems and reach their objectives. 
"Focusing purely on the operating system patches will likely result in gaps in defences and exploitation; look at your whole stack and target vulnerability remediation based on the potential impact and location of systems, eg proximity to untrusted networks (like the internet) and authority of the system," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews