Kaspersky Lab analysts published a detailed report on the eSodin encryption tool (also known as Sodinokibi and REvil).Sodin exploits the zero-day vulnerability in Windows (CVE-2018-8453) for privilege escalation and also uses for disguise the architectural features of the processor, which is rarely seen in malware of this type.
Sodin is demanding a ransom in bitcoins from its victims, equivalent to $2,500. Most of the victims are in the Asia-Pacific region: in Taiwan, Hong Kong and South Korea.
Experts discovered Sodin in the first half of 2019, and he immediately caught the attention of experts: a cryptographer exploited a vulnerability in Oracle Weblogic and attacks on MSP providers. Next, more detailed analysis revealed an exploitation of the aforementioned vulnerability in Windows, which was previously actively used by the FruityArmor hack group.
Some signs suggest that Sodin is distributed on the RAAS model (Ransomware-as-a-Service), that is, it is sold on the black market. To this fact linked intriguing feature of the malware. Usually, with such a scheme, the only key for decrypting files is at the disposal of the program’s distributors. However, Sodin functionality contains an interesting loophole that allows its authors to be able to decrypt files secretly from distributors.
In order to make it difficult for malware to be analyzed by debugging programs and make it difficult for defining this encryptor with defensive solutions, attackers use the Heaven’s Gate technique, which is rare in the case of ransomware programs, and which allows 64-bit code to be executed in a 32-bit process. Interestingly that for the first time this technique was described as early as the mid-2000s in the 29th group, and after the team collapsed, the material was reprinted in the hacker magazine Valhalla.
“Extortionists remain a very common threat, although we still rarely see such complex varieties of this type of malware and such an unusual technique – launching 64-bit code in a 32-bit process, which complicates analysis of malicious code, as well as its detection by defensive solutions. We expect a surge in the number of Sodin attacks, since many resources have apparently been invested in its creation, which means that its authors will most likely want to recoup the effort”, — says Fyodor Sinitsyn, senior antivirus expert at Kaspersky Lab.
The distribution methods of this cryptographer in most cases do not involve any active actions on the part of the victim. Attackers compromise servers running vulnerable software, and silently install malware in the system.