Virtualization Technology News and Information
Article
RSS
New, Sophisticated Ransomware Exploits Dangerous Windows Vulnerability
Today, Kaspersky researchers have uncovered a new encryption ransomware named Sodin which exploits a recently discovered zero-day Windows vulnerability to gain elevated privileges in an infected system and take advantage of the architecture of the Central Processing Unit (CPU) to avoid detection. This highly specialized functionality is not often seen in ransomware attacks and can be planted onto vulnerable servers by the attackers requiring no user interaction. 

The malware appears to be part of a ransomware-as-a-service (RAAS) scheme which allows distributers to choose the way in which the encryptor propagates. From the research conducted, it appears the malware is being distributed through an affiliate program in which the creators have access to a loophole in the malware functionality that allows them to decrypt files without their affiliates knowing; a ‘master key' that doesn't require a distributor's key for decryption. This added feature is suspected to be used by the developers to control the decryption of victim data as well as the distribution of the ransomware by cutting certain distributors out of the affiliate program by making the malware useless.

Additionally, Sodin's malware was built to instinctively locate vulnerable servers and send a command to download a malicious file called "radm.exe." which would then save the ransomware to the server and execute it locally. The ransomware note left on infected PCs demands $2,500 (USD) worth of Bitcoin from each victim.

Sodin's sophisticated design makes it even more difficult to detect as it uses the intricate "Heaven's Gate" technique, which is not often found in ransomware attacks as it allows a malicious program to execute 64-bit code from a 32-bit running process.

Kaspersky researchers believe that the Heaven's Gate technique is used in Sodin for two main reasons:

  • To make the analysis of the malicious code more difficult to detect as not all code examiners support this technique and therefore are unable to recognize it.
  • To evade detection by installed security solutions. The technique is used to bypass emulation-based detection, a method for uncovering previously unknown threats that involves launching code that is behaving suspiciously in a virtual environment that emulates a real computer.

The majority of Sodin ransomware targets were found in Asia: 17.6% of attacks have been detected in Taiwan, 9.8% in Hong Kong and 8.8% in the Republic of Korea. Additional attacks have also been observed in Europe, North America and Latin America.

"Ransomware is a very popular type of malware, yet it's not often that we see such an elaborate and sophisticated version that uses the CPU architecture to fly under the radar," says Fedor Sinitsyn, a security researcher at Kaspersky. "We expect to see a rise in the number of attacks involving the Sodin encryptor since the amount of resources that are required to build such malware is significant. Those who invested in the malware's development definitely expect if to pay off handsomely."

Kaspersky security solutions detected the ransomware as Trojan-Ransom.Win32.Sodin. The vulnerability CVE-2018-8453 that the ransomware uses was earlier detected by Kaspersky technology in the wild being exploited by a threat actor the researchers believe to be the FruityArmor hacking group. The vulnerability was patched on October 10, 2018.

Read the full report on Securelist.com

Published Wednesday, July 03, 2019 8:52 AM by David Marshall
Filed under:
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
top25
Calendar
<July 2019>
SuMoTuWeThFrSa
30123456
78910111213
14151617181920
21222324252627
28293031123
45678910