Researchers have revealed new details about a new ransomware strain called Diavol which seem to link it to the operators of the notorious TrickBot malware.
IBM X-Force’s latest findings reveal that the ransomware sample is similar to other malware that has been used by the cybercrime gang behind TrickBot. Researchers noted that the malware relies on a peculiar method called Asynchronous Procedure Calls:
“As part of a rather unique encryption procedure, Diavol operates using user-mode Asynchronous Procedure Calls (APCs) without a symmetric encryption algorithm,” Fortinet researchers previously said. “Usually, ransomware authors aim to complete the encryption operation in the shortest amount of time. Asymmetric encryption algorithms are not the obvious choice as they [are] significantly slower than symmetric algorithms.”
Researchers also noted that when the ransomware collects system information, it uses it to generate a unique identifier, and this identifier is almost identical to the Bot ID generated by the TrickBot malware.
In addition, IBM X-Force noticed that HTTP headers used for C2 communication are set to prefer Russian language, which is the language of the malware’s operators.
Another point of similarity between Diavol and TrickBot concerns the very similar registration process, which involves the unique identifier to register itself with a remote server.
“This registration to the botnet is nearly identical in both samples analyzed,” IBM Security’s Charlotte Hammond and Chris Caridi said. “The primary difference is the registration URL changing from https://[server_address]/bots/register to https://[server_address]/BnpOnspQwtjCA/register.”
Insights into the malware’s development process also gave researchers clues about its authors. During an assessment of an earlier sample of Diavol compiled on March 5, 2020, researchers noted that the development sample has left some of its features unfinished, including its file enumeration and encryption routines. It also encrypted files with the extension .lock64, and not by following asynchronous procedure calls.
Another clue linking the Russian threat actors to the malware is the code used to check the infected system’s language and to filter out victims in Russia or the Commonwealth of Independent States (CIS) region. This is a tactic regularly used by the TrickBot group.
“Collaboration between cybercrime groups, affiliate programs and code reuse are all parts of a growing ransomware economy,” the researchers concluded. “The Diavol code is relatively new in the cybercrime area, and less infamous than Ryuk or Conti, but it likely shares ties to the same operators and blackhat coders behind the scenes.”
