Alert! New Ransomware by TrickBot Botnet Found Called Diavol

According to the latest researches, the attackers behind disgraceful TrickBot Trojan have been planned to a new ransomware strain named “Diavol.”

Both the ransomware Diavol and Conti payloads were set up on distinct systems in a case of an unsuccessful attack pointing one of its customers earlier this month, investigators from Fortinet’s FortiGuard Labs said.

TrickBot, a banking malware first discovered in 2016, has been commonly a Windows-based crimeware solution, employing various modules to execute a broad amount of malicious activities on the targeted network, consisting up of credential hijacking and conduct ransomware attacks.

Besides attempts by law enforcement to compensate for the bot network, the ever-evolving malware has shown to be a strong threat, what with the Russia-based operators aka “Wizard Spider” – quickly adapting new tools to carry out further attacks.

Our experts said, “As part of a rather specific encryption procedure, Diavol operates using user-mode Asynchronous Procedure Calls (APCs) without a symmetric encryption algorithm.” Commonly, ransomware attacker’s main intent to complete the encryption operation in the shortest amount of time. Asymmetric Encryption Algorithms are not the absolute choice as they are significantly gradual than symmetric algorithms.

Another element of the ransomware that comes out is its dependency on the anti-assessment tactics to jumble the code in the form of bitmap images, from where the procedures are loaded into a bulk with run permissions.

Preceding locking the files and changing the desktop wallpaper with the ransom message, a few of the major functions are carried out by Diavol includes registering the victim device with a remote server, terminating running progress, searching for local drives and files in the system to encode, and avoiding recovery by removing shadow copies.

How this New Variant “Diavol” Spreads?

Investigators stated that Diavol takes advantage of Asynchronous Procedure Calls (APCs) as mentioned above with the unique encode process. The Diavol ransomware drops a ransom message in every folder it encrypts. While Diavol does not utilize any techniques to escape security detections, researchers found the anti-analysis tactics used by this group to disguise its code.

Alert-New-Ransomware-by-TrickBot-Botnet-Found-Called-Diavol-image1

Attack Flow of Diavol

  • First, it generates ID on the targeted machine
  • After it initializes configuration
  • Then Initiate C&C transmission
  • Kill system processes
  • Initialize encryption key
  • Find drives
  • Go through the files
  • Encrypt the files
  • Change desktop wallpaper or drop a ransom message

What are the similarities between Diavol and other Ransom Attacks?

The investigators also examine Diavol ransomware to find any similarities with other ransomware attacks like Conti and Egregor ransomware. The command lines used by Diavol are somewhat similar to those of Conti ransomware. Whereas, Conti and Diavol ransomware operate with synchronous I/O operations while encrypting the files. Researchers also suspected links with Egregor ransomware.

However, threat actors could have utilized these similarities on aimed to confuse the security experts.

Alert-New-Ransomware-by-TrickBot-Botnet-Found-Called-Diavol-image2

Diavol is said to have been set up in the untamed in one incident to date. The source of such interference is remained unknown till now. The parameters used by the threat actor, along with the bugs in the hardcoded configuration, hint at the fact that the Diavol is the new tool in the arsenal of the operation. What’s clarify, though is that the payload’s source code contributes similarities with that of Conti, even as its ransom note has been found to reuse some of the languages from Egregor ransomware. As the attacks grew up we find more Conti payloads named loacker.exe in the network, strengthening the probability the attacker is indeed a Wizard spider.

Wizard Spider’s amorphous ransomware effort also concurs with “new development to the TrickBot webinject module,” as detailed by the Kryptos Logic Threat Intelligence team, highlighting that the financially motivated cybercrime group is still active retooling it’s Trojan arsenal.

“TrickBot has come back with their bank fraud module, which has been modified to support Zeus-style webinjects.” Cybersecurity investigator Marcus Hutchins tweeted. “This could advices that they are resuming their bank fraud operation, and plan to expand access to those unfamiliar with their internal webineject format.”

Leave a Reply