TrickBot botnet deploying a new Diavol ransomware

The creators of the notorious TrickBot ransomware have been linked to a new ransomware outbreak known as Diavol.

 

Diavol and Conti ransomware payloads were distributed on different systems in a case of a failed attempt targeting one of Fortinet’s customers earlier this month, according to experts from FortiGuard Labs.

 

Banking through TrickBot Trojan is a Windows-based crimeware solution that uses many modules to carry out a variety of malicious activities on target networks, such as credential theft and ransomware operations.

 

The virus has proven to be a durable danger, with Russia-based operators known as “Wizard Spider” inventing new tools to carry out more operations.

 

To date, Diavol is known to have only been used in one case in the wild.

 

Despite the fact that the origins of the invasion are unknown, it is evident that the payload’s source code is similar to that of Conti, and its ransom note contains some terminology from the Egregor ransomware.

 

Diavol, according to the researchers, uses user-mode Asynchronous Procedure Calls (APCs) instead of a symmetric encryption technique.

 

Typically, ransomware creators strive to complete the encryption process in the quickest time possible.

 

In comparison to symmetric encryption techniques, asymmetric encryption algorithms are much slower.

 

Another feature of the ransomware is that it uses an anti-analysis approach to hide its code in the form of bitmap images, which are then loaded into a buffer with execute capabilities.

 

Diavol performs other functions such as registering the victim device with a remote server, terminating running processes, finding local drives and files in the system to encrypt, and preventing recovery by deleting shadow copies before locking files and changing the desktop wallpaper with a ransom message.

 

 

 

Trickbot, diavol ransomware

 

 

 

According to the Kryptos Logic Threat Intelligence team, Wizard Spider’s expanding ransomware endeavor corresponds with “new enhancements to the TrickBot webinject module,” showing that the gang is still aggressively retooling its malware arsenal.

 

 

Also read: 

 

Latvian woman charged for developing trickbot banking malware

Bizarro banking malware attacks South American and European Banks

Android banking malware-Teabot exploited in the wild