{"id":2423,"date":"2021-07-07T18:55:15","date_gmt":"2021-07-07T13:25:15","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=2423"},"modified":"2021-07-07T18:55:17","modified_gmt":"2021-07-07T13:25:17","slug":"alert-new-ransomware-by-trickbot-botnet-found-called-diavol","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/","title":{"rendered":"Alert! New Ransomware by TrickBot Botnet Found Called Diavol"},"content":{"rendered":"\n
According to the latest researches, the attackers behind disgraceful TrickBot Trojan have been planned to a new ransomware strain named \u201cDiavol.\u201d<\/p><\/p>\n\n\n\n
Both the ransomware Diavol and Conti payloads were set up on distinct systems in a case of an unsuccessful attack pointing one of its customers earlier this month, investigators from Fortinet\u2019s FortiGuard Labs said.<\/p><\/p>\n\n\n\n
TrickBot, a banking malware first discovered in 2016, has been commonly a Windows-based crimeware solution, employing various modules to execute a broad amount of malicious activities on the targeted network, consisting up of credential hijacking and conduct ransomware attacks.<\/p><\/p>\n\n\n\n
Besides attempts by law enforcement to compensate for the bot network, the ever-evolving malware has shown to be a strong threat, what with the Russia-based operators aka \u201cWizard Spider\u201d \u2013 quickly adapting new tools to carry out further attacks.<\/p><\/p>\n\n\n\n
Our experts said, \u201cAs part of a rather specific encryption procedure, Diavol operates using user-mode Asynchronous Procedure Calls (APCs) without a symmetric encryption algorithm.\u201d Commonly, ransomware attacker\u2019s main intent to complete the encryption operation in the shortest amount of time. Asymmetric Encryption Algorithms are not the absolute choice as they are significantly gradual than symmetric algorithms.<\/p><\/p>\n\n\n\n
Another element of the ransomware that comes out is its dependency on the anti-assessment tactics to jumble the code in the form of bitmap images, from where the procedures are loaded into a bulk with run permissions.<\/p><\/p>\n\n\n\n
Preceding locking the files and changing the desktop wallpaper with the ransom message, a few of the major functions are carried out by Diavol includes registering the victim device with a remote server, terminating running progress, searching for local drives and files in the system to encode, and avoiding recovery by removing shadow copies.<\/p><\/p>\n\n\n\n
How this New Variant \u201cDiavol\u201d Spreads?<\/strong><\/h2>\n\n\n\n
Investigators stated that Diavol takes advantage of Asynchronous Procedure Calls (APCs) as mentioned above with the unique encode process. The Diavol ransomware drops a ransom message in every folder it encrypts. While Diavol does not utilize any techniques to escape security detections, researchers found the anti-analysis tactics used by this group to disguise its code.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
Attack Flow of Diavol<\/strong><\/h4>\n\n\n\n
First, it generates ID on the targeted machine<\/li>
After it initializes configuration<\/li>
Then Initiate C&C transmission<\/li>
Kill system processes<\/li>
Initialize encryption key<\/li>
Find drives<\/li>
Go through the files<\/li>
Encrypt the files<\/li>
Change desktop wallpaper or drop a ransom message<\/li><\/ul>\n\n\n\n
What are the similarities between Diavol and other Ransom Attacks?<\/strong><\/h2>\n\n\n\n
The investigators also examine Diavol ransomware to find any similarities with other ransomware attacks like Conti and Egregor ransomware. The command lines used by Diavol are somewhat similar to those of Conti ransomware. Whereas, Conti and Diavol ransomware operate with synchronous I\/O operations while encrypting the files. Researchers also suspected links with Egregor ransomware.<\/p><\/p>\n\n\n\n
However, threat actors could have utilized these similarities on aimed to confuse the security experts.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
Diavol is said to have been set up in the untamed in one incident to date. The source of such interference is remained unknown till now. The parameters used by the threat actor, along with the bugs in the hardcoded configuration, hint at the fact that the Diavol is the new tool in the arsenal of the operation. What\u2019s clarify, though is that the payload\u2019s source code contributes similarities with that of Conti, even as its ransom note has been found to reuse some of the languages from Egregor ransomware. As the attacks grew up we find more Conti payloads named loacker.exe in the network, strengthening the probability the attacker is indeed a Wizard spider.<\/p><\/p>\n\n\n\n
Wizard Spider\u2019s amorphous ransomware effort also concurs with \u201cnew development to the TrickBot webinject module,\u201d as detailed by the Kryptos Logic Threat Intelligence team, highlighting that the financially motivated cybercrime group is still active retooling it’s Trojan arsenal.<\/p><\/p>\n\n\n\n
\u201cTrickBot has come back with their bank fraud module, which has been modified to support Zeus-style webinjects.\u201d Cybersecurity investigator Marcus Hutchins tweeted. \u201cThis could advices that they are resuming their bank fraud operation, and plan to expand access to those unfamiliar with their internal webineject format.\u201d<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
According to the latest researches, the attackers behind disgraceful TrickBot Trojan have been planned to a new ransomware strain named \u201cDiavol.\u201d Both the ransomware Diavol and Conti payloads were set up on distinct systems in a case of an unsuccessful attack pointing one of its customers earlier this month, investigators from Fortinet\u2019s FortiGuard Labs said. […]<\/p>\n","protected":false},"author":2,"featured_media":2425,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"yoast_head":"\n
Alert! New Ransomware by TrickBot Botnet Found Called Diavol - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Alert! New Ransomware by TrickBot Botnet Found Called Diavol - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"According to the latest researches, the attackers behind disgraceful TrickBot Trojan have been planned to a new ransomware strain named \u201cDiavol.\u201d Both the ransomware Diavol and Conti payloads were set up on distinct systems in a case of an unsuccessful attack pointing one of its customers earlier this month, investigators from Fortinet\u2019s FortiGuard Labs said. […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-07T13:25:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-07T13:25:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Alert-New-Ransomware-by-TrickBot-Botnet-Found-Called-Diavol-featured-image.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"Alert! New Ransomware by TrickBot Botnet Found Called Diavol\",\"datePublished\":\"2021-07-07T13:25:15+00:00\",\"dateModified\":\"2021-07-07T13:25:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/\"},\"wordCount\":678,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Breaches\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/\",\"url\":\"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/\",\"name\":\"Alert! New Ransomware by TrickBot Botnet Found Called Diavol - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-07-07T13:25:15+00:00\",\"dateModified\":\"2021-07-07T13:25:17+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Alert! New Ransomware by TrickBot Botnet Found Called Diavol\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Alert! New Ransomware by TrickBot Botnet Found Called Diavol - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/","og_locale":"en_US","og_type":"article","og_title":"Alert! New Ransomware by TrickBot Botnet Found Called Diavol - Xiarch Solutions Private Limited","og_description":"According to the latest researches, the attackers behind disgraceful TrickBot Trojan have been planned to a new ransomware strain named \u201cDiavol.\u201d Both the ransomware Diavol and Conti payloads were set up on distinct systems in a case of an unsuccessful attack pointing one of its customers earlier this month, investigators from Fortinet\u2019s FortiGuard Labs said. […]","og_url":"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-07-07T13:25:15+00:00","article_modified_time":"2021-07-07T13:25:17+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Alert-New-Ransomware-by-TrickBot-Botnet-Found-Called-Diavol-featured-image.png","type":"image\/png"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"Alert! New Ransomware by TrickBot Botnet Found Called Diavol","datePublished":"2021-07-07T13:25:15+00:00","dateModified":"2021-07-07T13:25:17+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/"},"wordCount":678,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Breaches"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/","url":"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/","name":"Alert! New Ransomware by TrickBot Botnet Found Called Diavol - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-07-07T13:25:15+00:00","dateModified":"2021-07-07T13:25:17+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/alert-new-ransomware-by-trickbot-botnet-found-called-diavol\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Alert! New Ransomware by TrickBot Botnet Found Called Diavol"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2423"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=2423"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2423\/revisions"}],"predecessor-version":[{"id":2428,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2423\/revisions\/2428"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/2425"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=2423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=2423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=2423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Alert-New-Ransomware-by-TrickBot-Botnet-Found-Called-Diavol-image1\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Alert-New-Ransomware-by-TrickBot-Botnet-Found-Called-Diavol-image2.jpg\")
<\/figure><\/div>\n\n\n\n![\"Alert-New-Ransomware-by-TrickBot-Botnet-Found-Called-Diavol-image2\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Alert-New-Ransomware-by-TrickBot-Botnet-Found-Called-Diavol-image.jpg\")
<\/figure><\/div>\n\n\n\n