Sodinokibi ransomware is now exploiting zero-day Windows vulnerability, security researchers warn

Attackers were earlier exploiting a flaw in Oracle Weblogic to spread the ransomware

The newly discovered Sodinokibi ransomware exploits a zero-day Windows vulnerability (CVE-2018-8453) to infect systems, researchers from cybersecurity firm Kaspersky have warned.

The stealthy ransomware, also known as Sodin and REvil, was first discovered in April this year. At that time, it was noticed that attackers were exploiting a flaw in Oracle Weblogic to spread the ransomware.

But security researchers say they have now seen many instances of Sodinokibi exploiting CVE-2018-8453 to get elevated privileges on infected systems — a rarity for ransomware. The program is also taking advantage of CPU architecture to avoid detection, they say.

Sodinokibi doesn't need user interaction to infect systems and is saved to vulnerable servers for future execution. It can then be triggered remotely by attackers to encrypt files on the target system.

Analysis of Sodinokibi revealed that it uses the 'Heaven's Gate' technique to execute 64-bit code from a 32-bit running process. Because not all code-examining programmes support this technique for threat analysis, it makes detecting Sodin even more difficult.

Researchers have detected Sodinokibi infections across Asia, Europe, Africa and North America, although most infections have been observed in Asia-Pacific, specifically Hong Kong, Taiwan and South Korea.

Sodinokibi's analysis also reveals that it comes with encrypted configuration block that has all required settings for the ransomware. After being triggered, it checks the configuration to ascertain whether the option to use the exploit is enabled.

Sodin then checks the CPU architecture and passes the execution to any one of the two shellcode variants inside the Trojan's body. The shellcode attempts to call a particular sequence of WinAPI functions with malicious arguments to trigger the vulnerability. This enables the Trojan's process to attain the highest privileges in the system.

Researchers believe that Sodin is likely a part of a ransomware-as-a-service scheme, which means that its distributors have the freedom to choose the way in which the malware propagates.

The ransomware uses a hybrid scheme to encrypt the files present on victim's system. The contents of the file are encrypted using the Salsa20 symmetric stream algorithm, while the keys are encrypted with an elliptic curve asymmetric algorithm.

The researchers also found special functionality in Sodin that allows its authors to decrypt victim's files without affiliates knowing about it. That is done using a master key, which is independent of the key used by affiliates to decrypt the files.