Sunday, December 10, 2023

Newly Uncovered Diavol Ransomware Sample Possibly Link to The Infamous TrickBot Group

Researchers uncovered a new ransomware strain “Diavol” that has possibly been linked with the most wanted infamous TrickBot hackers group.

TrickBot made it’s name as one of the top banking Trojans in the wild and attacked a wide variety of international banks and other organizations using malicious web injects.

At current cybersecurity trends, Ransomware is a major concern and frequently hitting the organization and individual around the globe.

The currently uncovered Diavol ransomware sample by IBM X-Force is unfamiliar than the already existed sample that was identified by Fortinet.

But this is unlike the Fortinet sample that was fully functional weaponized and directly utilize by the attacker, but this is looked like a development version of Diavol.

Researchers analyzed the code, and it raises a flag that it has a traces configuration that is liked by the TrickBot group.

When differentiating both samples, it indicates that both have been compiled in different time periods ( Development sample – Compiled March 5, 2020), (Active Sample – Compiled April 30, 2021).

We have seen in recent days that collaboration between cybercrime groups and sharing the source code in-between the threat groups are all parts of a growing ransomware economy.

Technical Analysis & Infection Process

In-depth analysis of the identified sample reveals that the attackers using an RSA encryption key to encrypt the victim’s files.

Before starts its execution process, it collects the basic information about the targetted system such as the windows version and network adaptor details.

Soon after it attempts to communicate with the command and control server controlled by the attacker, and register the victim’s machine with a pre-configured Group ID and the Bot ID that was created in the previous step.

X-Force researchers analyzed the sample and found the hardcoded configuration from the portable executable (PE) file overlay rather than in the .data section used by the newer active version.

Also, the configuration elements contain the collection of elements similar to the active sample feature as follows:-

  • C2 IP address
  • Group ID
  • Base64 encoded RSA public key
  • List of process names to terminate
  • List of service names to terminate
  • A list of files to avoid encrypting
  • A list of files to encrypt
  • A list of files to wipe
  • A list of priority files to encrypt first
  • Ransomware text

Before starting the encryption process, the Ransowmare terminate the processes and services on the infected device.

According to the report “In the development sample, the code for the file enumeration and encryption functions is clearly unfinished. The file enumeration function is designed to first encrypt files in the configured priority list (which is empty) and then to enumerate and encrypt files in the hardcoded path C:\TEST\. Functions related to the enumeration of logical drives and network shares, as seen in the newer, active sample, were not implemented.”

At the encryption process, same as the active sample, the current sample is performed using an RSA key and creates a new file with the target file path, and appends the file extension ‘.lock64’. 

Researchers observed one behavior that, in the active sample related to the deployment of ransom notes, file wiping, and deletion of Volume Shadow Copies was not implemented in the development sample.

Hackers used the identical format to generates a Bot ID that has been seen in the Anchor DNS malware that associate with Trickbot, and the same format have seen in the Diavol ransomware.

Also, the HTTP headers used for C2 communication are set to prefer Russian language content, which matches the language used by TrickBot operators. Researcher said.

You can Also Read: Ransomware Attack Response and Mitigation Checklist

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

WordPress POP Chain Flaw Exposes Over 800M+ Websites to Attack

A critical remote code execution vulnerability has been patched as part of the Wordpress...

Russian Star Blizzard New Evasion Techniques to Hijack Email Accounts

Hackers target email accounts because they contain valuable personal and financial information. Successful email...

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles