The cybercriminals behind the infamous TrickBot malware have been linked to a new ransomware strain called Diavol.
According to the researchers from Fortinet’s FortiGuard Labs, Diavol and Conti ransomware payloads were deployed on different systems in a case of an unsuccessful attack targeting one of its customers earlier this month.
TrickBot banking Trojan is a Windows-based crimeware solution, employing different modules to perform a wide range of malicious activities on target networks, including credential theft and conduct ransomware attacks.
The ever-evolving malware has proven to be a resilient threat, with the Russia-based operators dubbed “Wizard Spider” adapting new tools to carry out further attacks.
Diavol is believed to have been deployed in the wild in one incident to date. Even though the source of intrusion is not known, it is clear that the payload’s source code shares similarities with that of Conti, even as its ransom note has been found to reuse some language from Egregor ransomware.
The researchers stated that Diavol operates using user-mode Asynchronous Procedure Calls (APCs) without a symmetric encryption algorithm. Usually, ransomware developers aim to complete the encryption operation in the shortest amount of time. Asymmetric encryption algorithms are significantly slower than symmetric algorithms.
Another aspect of the ransomware is its reliance on an anti-analysis technique to obfuscate its code in the form of bitmap images, from where the routines are loaded into a buffer with execute permissions.
Before locking files and changing the desktop wallpaper with a ransom message, Diavol performs other functions such as registering the victim device with a remote server, terminating running processes, finding local drives and files in the system to encrypt, and preventing recovery by deleting shadow copies.
Wizard Spider’s developing ransomware effort also coincides with “new developments to the TrickBot webinject module,” as detailed by Kryptos Logic Threat Intelligence team, indicating that the group is still actively retooling its malware arsenal.
