• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory -WordPress 5.2.3 Multiple Vulnerabilities – Updates
October 16, 2019
Rewterz Threat Alert – Chinese Hackers Evade Detection with Advanced Cryptojacking Tactics
October 16, 2019

Rewterz Threat Alert – Diving Into Sodinokibi Ransomware

October 16, 2019

Severity

High

Analysis Summary

McAfee’s Advanced Threat Research (ATR) team took a deep dive into the code for the Sodinokibi (aka REvil) ransomware-as-a-service and published their results in an article. The ATR team ran across Sodinokibi at the end of April, which was about the same time that it was announced that GandCrab would be shut down. Sodinokibi initially used a vulnerability in Oracle’s WebLogic server to infect a victim. This malware is offered as a service with a group of people developing the code. Their affiliates, those that pay for the service, can then spread Sodinokibi as they desire, whether through phishing campaigns, exploit kits, brute force RDP attacks, or uploading tools and scripts that elevate privileges and then execute the malware. The ATR team compared the unpacked Sodinokibi code with version 5.03 of GandCrab to determine similarities and found that it was in the functions that the two were most alike. The ATR team alluded that one or more developers for Sodinokibi may have had access to the GandCrab source code.

Vulnerability Exploited

CVE-2018-8453

Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of objects in memory by the Win32k component. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to execute arbitrary code in kernel mode.

Impact

Files encryption

Indicators of Compromise

Malware Hashes:

MD5

  • ccfde149220e87e97198c23fb8115d5ae
  • f777a861ede95d3b02b0b135952d43a

SHA1

  • 39e4eb1ab854c4a7929e8e77ca0dbca37049154d

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.