Kaspersky experts discovered that Sodinokibi, aka Sodin, Ransomware currently also exploits the CVE-2018-8453 vulnerability to elevate privileges in Windows

The Sodinokibi Ransomware (aka Sodin, REvil) appeared in the threat landscape in April when crooks were delivering it by exploiting a recently patched Oracle WebLogic Server vulnerability.

Now the threat is evolving, the Sodinokibi ransomware includes fresh code to elevate its privileges on a target machine by exploiting a vulnerability in the Win32k component present on Windows 7 through 10 and Server editions.

In October, Kaspersky revealed that the CVE-2018-8453 vulnerability has been exploited by the APT group tracked as FruityArmor, a cyber-espionage group that was first observed in 2016 while targeting activists, researchers, and individuals related to government organizations.

Kaspersky found that the Sodin ransomware is spreading worldwide with most of the infections that were observed in Asia-Pacific region: Taiwan (17.56%), Hong Kong, and South Korea (8.78%).

Kaspersky uses the name Sodin to refer to this strain of ransomware and telemetry data shows detections in small areas on the globe, most of them recorded in the Asia-Pacific region: Taiwan (17.56%), Hong Kong, and South Korea (8.78%).

Other countries where Sodinokibi was detected are Japan (8.05%), Germany (8.05%), Italy (5.12%), Spain (4.88%), Vietnam (2.93), the U.S. (2.44%), and Malaysia (2.20%).

Researchers published a technical analysis of the privilege escalation process that allows the threat to gain SYSTEM privileges.

To escalate privileges, Sodin leverages the vulnerability in win32k.sys, then it executes of two shellcode options contained in the Trojan body depending on the processor architecture.

The body of each Sodin sample includes an encrypted configuration block that stores the settings and data used by the malware.

The Sodin configuration includes fields for the public key, ID numbers for the campaign and the distributor, for overwriting data, names of directories and files, and list of extensions not to be encrypted, names of the processes it should terminate, C2 server addresses, ransom note template, and one for using an exploit to get higher privileges on the machine.

The Sodin sample analyzed by Kaspersky implements a hybrid scheme to encrypt data, it uses a symmetric algorithm (Salsa20) for to encrypt files and elliptic curve asymmetric encryption to protect the keys.

“Since some data is stored in the registry, this article uses the names given by the ransomware itself. For entities not in the registry, we use invented names.” continues the analysis.

“When launched, the Trojan generates a new pair of elliptic curve session keys; the public key of this pair is saved in the registry under the name pk_key, while the private key is encrypted using the ECIES algorithm with the sub_key key and stored in the registry under the name sk_key.”

The private key is also encrypted with a second public key, which is hardcoded in the malware and the result is saved in the registry.

Once encrypted the files, Sodinokibi will append a random extension that is different for each computer it infects.

The malicious code doesn’t encrypt files with keyboard layouts specific to certain countries, including Russia, Ukraine, Belarus, Tajikistan, Armenia, Azerbaijan, Georgia, Kazakhstan, Kyrgyzstan, Turkmenistan, Moldova, Uzbekistan, and Syria.

Further details, including IoCs, are reported in the analysis.

Pierluigi Paganini

(SecurityAffairs – Sodin, ransomware)