Kaspersky researchers have identified a new encryption ransomware named Sodin, which exploits a recently discovered zero-day Windows vulnerability to get elevated privileges in an infected system.
The ransomware takes advantage of the architecture of the Central Processing Unit (CPU) to avoid detection functionality that is not often seen in ransomware. And in certain cases the malware requires no user interaction and is simply planted onto vulnerable servers by the attackers.
Ransomware is a very popular type of malware, yet it’s not often that we see such an elaborate and sophisticated version: using the CPU architecture to fly under the radar is not a common practice for encryptors.
We expect a rise in the number of attacks involving the Sodin encryptor, since the amount of resources that are required to build such malware is significant. Those who invested in the malware’s development definitely expect it to pay off handsomly,” said Fedor Sinitsyn, a security researcher at Kaspersky.
Ransomware, the encryption or locking of data or devices accompanied by a demand for money is an enduring cyber threat, affecting individuals and organizations of all sizes across the world. However, sophisticated approaches such as that of Sodin, which involves the exploitation of recently discovered zero-day vulnerability in Windows (CVE-2018-8453) to escalate privileges might be able to avoid raising suspicion for a while.
There are signs that the malware is being distributed through an affiliate program. Moreover, usually ransomware requires some form of user interaction, such as opening an attachment to an email message or clicking on a malicious link. The attackers that used Sodin didn’t need such help: they would usually find a vulnerable server and send a command to download a malicious file called “radm.exe.” This then saved the ransomware locally and executed it.
Most targets of Sodin ransomware were found in the Asian region: 17.6% of attacks have been detected in Taiwan, 9.8% in Hong Kong and 8.8% in the Republic of Korea. However, attacks have also been observed in Europe, North America and Latin America. The ransomware note left on infected PCs demands $2500 (USD) worth of Bitcoin from each victim.
What makes Sodin even harder to detect is the use of the “Heaven’s Gate” technique. This allows a malicious program to execute 64-bit code from a 32-bit running process, which is not a common practice and does not often occur in ransomware.
The researchers believe that the Heaven’s Gate technique is used in Sodin for two main reasons:
• To make analysis of the malicious code harder – not all ‘debuggers’ (code examiners) support this technique and therefore can’t recognize it.
• To evade detection by installed security solutions. The technique is used to bypass emulation-based detection, a method for uncovering previously unknown threats that involves launching code that is behaving suspiciously in a virtual environment that resembles (emulates) a real computer.
Kaspersky researchers advised the following suggestion, to avoid falling victim to Sodin threats
• Make sure that the software used in your company is regularly updated to the most recent versions. Security products with Vulnerability Assessment and Patch Management capabilities may help to automate these processes.
• Use a robust security solution such as Kaspersky Endpoint Security that is equipped with behaviour-based detection capabilities for effective protection against known and unknown threats including exploits.
(Image Courtesy: www.govtech.com)