Newly Uncovered Diavol Ransomware Sample Possibly Link to The Infamous TrickBot Group

Researchers uncovered a new ransomware strain “Diavol” that has possibly been linked with the most wanted infamous TrickBot hackers group.

TrickBot made it’s name as one of the top banking Trojans in the wild and attacked a wide variety of international banks and other organizations using malicious web injects.

At current cybersecurity trends, Ransomware is a major concern and frequently hitting the organization and individual around the globe.

The currently uncovered Diavol ransomware sample by IBM X-Force is unfamiliar than the already existed sample that was identified by Fortinet.

But this is unlike the Fortinet sample that was fully functional weaponized and directly utilize by the attacker, but this is looked like a development version of Diavol.

Researchers analyzed the code, and it raises a flag that it has a traces configuration that is liked by the TrickBot group.

When differentiating both samples, it indicates that both have been compiled in different time periods ( Development sample – Compiled March 5, 2020), (Active Sample – Compiled April 30, 2021).

We have seen in recent days that collaboration between cybercrime groups and sharing the source code in-between the threat groups are all parts of a growing ransomware economy.

Technical Analysis & Infection Process

In-depth analysis of the identified sample reveals that the attackers using an RSA encryption key to encrypt the victim’s files.

Before starts its execution process, it collects the basic information about the targetted system such as the windows version and network adaptor details.

Soon after it attempts to communicate with the command and control server controlled by the attacker, and register the victim’s machine with a pre-configured Group ID and the Bot ID that was created in the previous step.

X-Force researchers analyzed the sample and found the hardcoded configuration from the portable executable (PE) file overlay rather than in the .data section used by the newer active version.

Also, the configuration elements contain the collection of elements similar to the active sample feature as follows:-

• C2 IP address
• Group ID
• Base64 encoded RSA public key
• List of process names to terminate
• List of service names to terminate
• A list of files to avoid encrypting
• A list of files to encrypt
• A list of files to wipe
• A list of priority files to encrypt first
• Ransomware text

Before starting the encryption process, the Ransowmare terminate the processes and services on the infected device.

According to the report “In the development sample, the code for the file enumeration and encryption functions is clearly unfinished. The file enumeration function is designed to first encrypt files in the configured priority list (which is empty) and then to enumerate and encrypt files in the hardcoded path C:\TEST\. Functions related to the enumeration of logical drives and network shares, as seen in the newer, active sample, were not implemented.”

At the encryption process, same as the active sample, the current sample is performed using an RSA key and creates a new file with the target file path, and appends the file extension ‘.lock64’. 

Researchers observed one behavior that, in the active sample related to the deployment of ransom notes, file wiping, and deletion of Volume Shadow Copies was not implemented in the development sample.

Hackers used the identical format to generates a Bot ID that has been seen in the Anchor DNS malware that associate with Trickbot, and the same format have seen in the Diavol ransomware.

Also, the HTTP headers used for C2 communication are set to prefer Russian language content, which matches the language used by TrickBot operators. Researcher said.

You can Also Read: Ransomware Attack Response and Mitigation Checklist

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.