Sodinokibi ransomware exploits Windows vulnerability [CVE-2018-8453]
A ransomware strain named Sodinokibi (also Sodin or REvil) is exploiting a vulnerability patched by Windows last year.
Microsoft issued a patch for the vulnerability, a privilege escalation flaw known as CVE-2018-8453, back in October 2018.
Unusually, the former zero-day has been spotted alongside ransomware, rather than other forms of malware. Security researchers have suggested that Sodinokibi is being distributed via a ransomware-as-a-service (RaaS) scheme, rather than being directly distributed by its creator.
Oracle addressed this vulnerability in their Security Alert Advisory – CVE-2019-2725. Users and administrators are encouraged to apply this update immediately.
Here’s a snippet of the #sodinokibi x64 kernel shellcode for performing SYSTEM privilege escalation. It’s been a real joy to debug! 🙂 pic.twitter.com/Irp2SLEiVX
— Tom Bonner (@thomas_bonner) July 4, 2019
Indicators of Compromise (IoC)
Ransomware samples:
0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d
34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160
74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac
95ac3903127b74f8e4d73d987f5e3736f5bdd909ba756260e187b6bf53fb1a05
fa2bccdb9db2583c2f9ff6a536e824f4311c9a8a9842505a0323f027b8b51451
f0a16b0224a24647e9e8cf2f6f4479d93c8fb540a7ca656023a41f399e6c69c2
963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e
e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec
Distribution URLs:
hxxp://188.166.74[.]218/office.exe
hxxp://188.166.74[.]218/radm.exe
hxxp://188.166.74[.]218/untitled.exe
hxxp://45.55.211[.]79/.cache/untitled.exe
Attacker IP:
130.61.54[.]136
Attacker Domain:
decryptor[.]top
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.