Friday, March 29, 2024

Newly Uncovered Diavol Ransomware Sample Possibly Link to The Infamous TrickBot Group

Researchers uncovered a new ransomware strain “Diavol” that has possibly been linked with the most wanted infamous TrickBot hackers group.

TrickBot made it’s name as one of the top banking Trojans in the wild and attacked a wide variety of international banks and other organizations using malicious web injects.

At current cybersecurity trends, Ransomware is a major concern and frequently hitting the organization and individual around the globe.

The currently uncovered Diavol ransomware sample by IBM X-Force is unfamiliar than the already existed sample that was identified by Fortinet.

But this is unlike the Fortinet sample that was fully functional weaponized and directly utilize by the attacker, but this is looked like a development version of Diavol.

Researchers analyzed the code, and it raises a flag that it has a traces configuration that is liked by the TrickBot group.

When differentiating both samples, it indicates that both have been compiled in different time periods ( Development sample – Compiled March 5, 2020), (Active Sample – Compiled April 30, 2021).

We have seen in recent days that collaboration between cybercrime groups and sharing the source code in-between the threat groups are all parts of a growing ransomware economy.

Technical Analysis & Infection Process

In-depth analysis of the identified sample reveals that the attackers using an RSA encryption key to encrypt the victim’s files.

Before starts its execution process, it collects the basic information about the targetted system such as the windows version and network adaptor details.

Soon after it attempts to communicate with the command and control server controlled by the attacker, and register the victim’s machine with a pre-configured Group ID and the Bot ID that was created in the previous step.

X-Force researchers analyzed the sample and found the hardcoded configuration from the portable executable (PE) file overlay rather than in the .data section used by the newer active version.

Also, the configuration elements contain the collection of elements similar to the active sample feature as follows:-

  • C2 IP address
  • Group ID
  • Base64 encoded RSA public key
  • List of process names to terminate
  • List of service names to terminate
  • A list of files to avoid encrypting
  • A list of files to encrypt
  • A list of files to wipe
  • A list of priority files to encrypt first
  • Ransomware text

Before starting the encryption process, the Ransowmare terminate the processes and services on the infected device.

According to the report “In the development sample, the code for the file enumeration and encryption functions is clearly unfinished. The file enumeration function is designed to first encrypt files in the configured priority list (which is empty) and then to enumerate and encrypt files in the hardcoded path C:\TEST\. Functions related to the enumeration of logical drives and network shares, as seen in the newer, active sample, were not implemented.”

At the encryption process, same as the active sample, the current sample is performed using an RSA key and creates a new file with the target file path, and appends the file extension ‘.lock64’. 

Researchers observed one behavior that, in the active sample related to the deployment of ransom notes, file wiping, and deletion of Volume Shadow Copies was not implemented in the development sample.

Hackers used the identical format to generates a Bot ID that has been seen in the Anchor DNS malware that associate with Trickbot, and the same format have seen in the Diavol ransomware.

Also, the HTTP headers used for C2 communication are set to prefer Russian language content, which matches the language used by TrickBot operators. Researcher said.

You can Also Read: Ransomware Attack Response and Mitigation Checklist

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles