Cybersecurity researchers have disclosed details about an early development version of a nascent ransomware strain called Diavol that has been linked to threat actors behind the infamous TrickBot syndicate.
The latest findings from IBM X-Force show that the ransomware sample shares similarities to other malware that has been attributed to the cybercrime gang, thus establishing a clearer connection between the two.
In early July, Fortinet revealed specifics of an unsuccessful ransomware attack involving Diavol payload targeting one of its customers, highlighting the payload’s source code overlaps with that of Conti and its technique of reusing some language from Egregor ransomware in its ransom note.
“As part of a rather unique encryption procedure, Diavol operates using user-mode Asynchronous Procedure Calls (APCs) without a symmetric encryption algorithm,” Fortinet researchers previously said. “Usually, ransomware authors aim to complete the encryption operation in the shortest amount of time. Asymmetric encryption algorithms are not the obvious choice as they [are] significantly slower than symmetric algorithms.”
Now an assessment of an earlier sample of Diavol — compiled on March 5, 2020, and submitted to VirusTotal on January 27, 2021 — has revealed insights into the malware’s development process, with the source code capable of terminating arbitrary processes and prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker.
What’s more, the initial execution of the ransomware leads to it collecting system information, which is used to generate a unique identifier that’s nearly identical to the Bot ID generated by TrickBot malware, except for the addition of the Windows username field.
Diavol’s links to TrickBot also boil down to the fact that HTTP headers used for command-and-control (C2) communication are set to prefer Russian language content, which matches the language used by the operators.
A point of similarity between the two ransomware samples concerns the registration process, where the victim machine uses the identifier created in the previous step to register itself with a remote server. “This registration to the botnet is nearly identical in both samples analyzed,” IBM Security’s Charlotte Hammond and Chris Caridi said. “The primary difference is the registration URL changing from https://[server_address]/bots/register to https://[server_address]/BnpOnspQwtjCA/register.”
But unlike the fully functional variant, the development sample not only has its file enumeration and encryption functions left unfinished, it also directly encrypts files with the extension “.lock64” as they are encountered, instead of relying on asynchronous procedure calls. A second deviation detected by IBM is that the original file is not deleted post encryption, thus obviating the need for a decryption key.
Another clue tying the malware to the Russian threat actors is the code for checking the language on the infected system to filter out victims in Russia or the Commonwealth of Independent States (CIS) region, a known tactic adopted by the TrickBot group.
“Collaboration between cybercrime groups, affiliate programs and code reuse are all parts of a growing ransomware economy,” the researchers said. “The Diavol code is relatively new in the cybercrime area, and less infamous than Ryuk or Conti, but it likely shares ties to the same operators and blackhat coders behind the scenes.”