[BreachExchange] Researchers Find New Evidence Linking Diavol Ransomware to TrickBot Gang

Thu Aug 19 11:27:14 EDT 2021

https://thehackernews.com/2021/08/researchers-find-new-evidence-linking.html

Cybersecurity researchers have disclosed details about an early development
version of a nascent ransomware strain called Diavol that has been linked
to threat actors behind the infamous TrickBot syndicate.

The latest findings from IBM X-Force show that the ransomware sample shares
similarities to other malware that has been attributed to the cybercrime
gang, thus establishing a clearer connection between the two.

In early July, Fortinet revealed specifics of an unsuccessful ransomware
attack involving Diavol payload targeting one of its customers,
highlighting the payload's source code overlaps with that of Conti and its
technique of reusing some language from Egregor ransomware in its ransom
note.

"As part of a rather unique encryption procedure, Diavol operates using
user-mode Asynchronous Procedure Calls (APCs) without a symmetric
encryption algorithm," Fortinet researchers previously said. "Usually,
ransomware authors aim to complete the encryption operation in the shortest
amount of time. Asymmetric encryption algorithms are not the obvious choice
as they [are] significantly slower than symmetric algorithms."

Now an assessment of an earlier sample of Diavol — compiled on March 5,
2020, and submitted to VirusTotal on January 27, 2021 — has revealed
insights into the malware's development process, with the source code
capable of terminating arbitrary processes and prioritizing file types to
encrypt based on a pre-configured list of extensions defined by the
attacker.

What's more, the initial execution of the ransomware leads to it collecting
system information, which is used to generate a unique identifier that's
nearly identical to the Bot ID generated by TrickBot malware, except for
the addition of the Windows username field.

Diavol's links to TrickBot also boil down to the fact that HTTP headers
used for command-and-control (C2) communication are set to prefer Russian
language content, which matches the language used by the operators.

A point of similarity between the two ransomware samples concerns the
registration process, where the victim machine uses the identifier created
in the previous step to register itself with a remote server. "This
registration to the botnet is nearly identical in both samples analyzed,"
IBM Security's Charlotte Hammond and Chris Caridi said. "The primary
difference is the registration URL changing from
https://[server_address]/bots/register
to https://[server_address]/BnpOnspQwtjCA/register."

But unlike the fully functional variant, the development sample not only
has its file enumeration and encryption functions left unfinished, it also
directly encrypts files with the extension ".lock64" as they are
encountered, instead of relying on asynchronous procedure calls. A second
deviation detected by IBM is that the original file is not deleted post
encryption, thus obviating the need for a decryption key.

Another clue tying the malware to the Russian threat actors is the code for
checking the language on the infected system to filter out victims in
Russia or the Commonwealth of Independent States (CIS) region, a known
tactic adopted by the TrickBot group.

"Collaboration between cybercrime groups, affiliate programs and code reuse
are all parts of a growing ransomware economy," the researchers said. "The
Diavol code is relatively new in the cybercrime area, and less infamous
than Ryuk or Conti, but it likely shares ties to the same operators and
blackhat coders behind the scenes."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210819/059bdca1/attachment.html>