Wednesday, May 29, 2024

Newly Uncovered Diavol Ransomware Sample Possibly Link to The Infamous TrickBot Group

Researchers uncovered a new ransomware strain “Diavol” that has possibly been linked with the most wanted infamous TrickBot hackers group.

TrickBot made it’s name as one of the top banking Trojans in the wild and attacked a wide variety of international banks and other organizations using malicious web injects.

At current cybersecurity trends, Ransomware is a major concern and frequently hitting the organization and individual around the globe.

The currently uncovered Diavol ransomware sample by IBM X-Force is unfamiliar than the already existed sample that was identified by Fortinet.

But this is unlike the Fortinet sample that was fully functional weaponized and directly utilize by the attacker, but this is looked like a development version of Diavol.

Researchers analyzed the code, and it raises a flag that it has a traces configuration that is liked by the TrickBot group.

When differentiating both samples, it indicates that both have been compiled in different time periods ( Development sample – Compiled March 5, 2020), (Active Sample – Compiled April 30, 2021).

We have seen in recent days that collaboration between cybercrime groups and sharing the source code in-between the threat groups are all parts of a growing ransomware economy.

Technical Analysis & Infection Process

In-depth analysis of the identified sample reveals that the attackers using an RSA encryption key to encrypt the victim’s files.

Before starts its execution process, it collects the basic information about the targetted system such as the windows version and network adaptor details.

Soon after it attempts to communicate with the command and control server controlled by the attacker, and register the victim’s machine with a pre-configured Group ID and the Bot ID that was created in the previous step.

X-Force researchers analyzed the sample and found the hardcoded configuration from the portable executable (PE) file overlay rather than in the .data section used by the newer active version.

Also, the configuration elements contain the collection of elements similar to the active sample feature as follows:-

  • C2 IP address
  • Group ID
  • Base64 encoded RSA public key
  • List of process names to terminate
  • List of service names to terminate
  • A list of files to avoid encrypting
  • A list of files to encrypt
  • A list of files to wipe
  • A list of priority files to encrypt first
  • Ransomware text

Before starting the encryption process, the Ransowmare terminate the processes and services on the infected device.

According to the report “In the development sample, the code for the file enumeration and encryption functions is clearly unfinished. The file enumeration function is designed to first encrypt files in the configured priority list (which is empty) and then to enumerate and encrypt files in the hardcoded path C:\TEST\. Functions related to the enumeration of logical drives and network shares, as seen in the newer, active sample, were not implemented.”

At the encryption process, same as the active sample, the current sample is performed using an RSA key and creates a new file with the target file path, and appends the file extension ‘.lock64’. 

Researchers observed one behavior that, in the active sample related to the deployment of ransom notes, file wiping, and deletion of Volume Shadow Copies was not implemented in the development sample.

Hackers used the identical format to generates a Bot ID that has been seen in the Anchor DNS malware that associate with Trickbot, and the same format have seen in the Diavol ransomware.

Also, the HTTP headers used for C2 communication are set to prefer Russian language content, which matches the language used by TrickBot operators. Researcher said.

You can Also Read: Ransomware Attack Response and Mitigation Checklist

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Researchers Exploited Nexus Repository Using Directory Traversal Vulnerability

Hackers target and exploit GitHub repositories for a multitude of reasons and illicit purposes.The...

DDNS Service In Fortinet Or QNAP Embedded Devices Exposes Sensitive Data, Researchers Warn

Hackers employ DNS for various purposes like redirecting traffic to enable man-in-the-middle attacks, infecting...

PoC Exploit Released For macOS Privilege Escalation Vulnerability

A new vulnerability has been discovered in macOS Sonoma that is associated with privilege...

CatDDoS Exploiting 80+ Vulnerabilities, Attacking 300+ Targets Daily

Malicious traffic floods targeted systems, servers, or networks in Distributed Denial of Service (DDoS)...

GNOME Remote Desktop Vulnerability Let Attackers Read Login Credentials

GNOME desktop manager was equipped with a new feature which allowed remote users to...

Kesakode: A Remote Hash Lookup Service To Identify Malware Samples

Today marks a significant milestone for Malcat users with the release of version 0.9.6,...

Cisco Firepower Vulnerability Let Attackers Launch SQL Injection Attacks

 A critical vulnerability has been identified in Cisco Firepower Management Center (FMC) Software's web-based...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles