Kaspersky researchers have uncovered new encryption ransomware named Sodin, which exploits a recently discovered zero-day Windows vulnerability to get elevated privileges in an infected system and takes advantage of the architecture of the central processing unit (CPU) to avoid detection – functionality that is not often seen in ransomware.
What’s more, in certain cases the malware requires no user interaction and is simply planted onto vulnerable servers by the attackers.
Ransomware, the encryption or locking of data or devices accompanied by a demand for money is an enduring cyberthreat, affecting individuals and organisations of all sizes across the world. Most security solutions detect well-known versions and established attack vectors.
However, sophisticated approaches such as that of Sodin, which involves the exploitation of a recently discovered zero-day vulnerability in Windows (CVE-2018-8453) to escalate privileges might be able to avoid raising suspicion for a while.
The malware appears to be part of a RAAS – ransomware-as-a-service – scheme, which means that its distributers are free to choose the way in which the encryptor propagates. There are signs that the malware is being distributed through an affiliate program.
For example, the developers of the malware have left a loophole in the malware functionality that allows them to decrypt files without their affiliates knowing: a ‘master key’ that doesn’t require a distributor’s key for decryption (normally the distributor keys are the ones used to decrypt the files of victims that payed the ransom).
This feature might be used by the developers to control the decryption of victim data or the distribution of the ransomware by, for example, cutting certain distributors out of the affiliate program by making the malware useless.
Moreover, usually ransomware requires some form of user interaction – such as opening an attachment to an email message or clicking on a malicious link. The attackers that used Sodin didn’t need such help: they would usually find a vulnerable server and send a command to download a malicious file called “radm.exe”. This then saved the ransomware locally and executed it.
Most targets of Sodin ransomware were found in the Asian region: 17.6% of attacks have been detected in Taiwan, 9,8% in Hong Kong and 8,8% in the Republic of Korea. However, attacks have also been observed in Europe, North America and Latin America. The ransomware note left on infected PCs demands $2500 (USD) worth of bitcoin from each victim.
What makes Sodin even harder to detect is the use of the “Heaven’s Gate” technique. This allows a malicious program to execute 64-bit code from a 32-bit running process, which is not a common practice and does not often occur in ransomware.
The researchers believe that the Heaven’s Gate technique is used in Sodin for two main reasons:
* To make analysis of the malicious code harder – not all ‘debuggers’ (code examiners) support this technique and therefore can’t recognise it.
* To evade detection by installed security solutions. The technique is used to bypass emulation-based detection, a method for uncovering previously unknown threats that involves launching code that is behaving suspiciously in a virtual environment that resembles (emulates) a real computer.
“Ransomware is a very popular type of malware, yet it’s not often that we see such an elaborate and sophisticated version: using the CPU architecture to fly under the radar is not a common practice for encryptors. We expect a rise in the number of attacks involving the Sodin encryptor, since the amount of resources that are required to build such malware is significant. Those who invested in the malware’s development definitely expect it to pay off handsomely,” says Fedor Sinitsyn, a security researcher at Kaspersky.
Kaspersky security solutions detect the ransomware as Trojan-Ransom.Win32.Sodin. The vulnerability CVE-2018-8453 that the ransomware uses was earlier detected by Kaspersky technology in the wild being exploited by a threat actor the researchers believe to be the FruityArmor hacking group. The vulnerability was patched on 10 October 2018.