SpearTip Finds New Diavol Ransomware Does Steal Data | xxxSpearTip Finds New Diavol Ransomware Does Steal Data – xxx
菜单

SpearTip Finds New Diavol Ransomware Does Steal Data

七月 15, 2021 - SecurityAffairs

Security researchers have linked a new ransomware strain called Diavol to the Wizard Spider threat group behind the Trickbot botnet.

BleepingComputer noted the ransomware families utilize the same I/O operations for file encryption queueing and use nearly identical command-line parameters for the same functionality.

There may be some similarities, but as they’ve explained and SpearTip has validated, there are two interesting differences that make the direct connection improbable.

Location Checks

Diavol ransomware does not prevent their payloads from running on Russian targets by doing a locale check. This is notable because most ransomware will avoid Russian systems.

Data Exfiltration

FortiGuard Labs explains in their analysis of Diavol that, “According to the note, the authors claim they stole data from the victim’s machine, though we did not find a sample that was capable of performing that. This is either a bluff or a placeholder for future capabilities.”

After SpearTip’s engineers conducted further investigations, the Diavol ransomware group does appear to be stealing data. Despite the absence of this capability in the ransomware executable, the group leverages tactics that enable the exfiltration of data from an environment that are particularly evasive.

SpearTip Analysis

The Diavol ransomware group uses an HTTP beacon for Cobalt Strike, which appears to be utilized to facilitate the data exfiltration. The beacon was named sysr.dll and was stored in a folder created by the threat actors. This network communication is exceptionally difficult to detect as well as the technique used by the beacon to inject into memory. It has been confirmed by SpearTip that the beacon had files removed and exfiltrated.

The image below shows the beacon running through a sandbox.

SpearTip Finds New Diavol Ransomware Does Steal Data

Through threat actor communication, SpearTip engineers confirmed that the Diavol group stole data and provided proof of data that was exfiltrated from several organizations. When our engineers investigated, we observed the utilization of the evasive Cobalt Strike’s HTTPS Beacon, which can be used to exfiltrate data.

The former Trickbot operators, previously target by law enforcement actions, have proven resilient and have integrated themselves into different ransomware groups over the past few years. Seeing traces of their activity and techniques within another ransomware group isn’t surprising. When assessing data exfiltration, it is always important to conduct a comprehensive investigation and to understand the evolution of the group tactics. These associations ensure accurate forensic reporting.

Original post @ https://www.speartip.com/resources/speartip-finds-new-diavol-ransomware-does-steal-data/

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)


Share On

SpearTip Finds New Diavol Ransomware Does Steal Data
Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.

Security researchers have linked a new ransomware strain called Diavol to the Wizard Spider threat group behind the Trickbot botnet.

BleepingComputer noted the ransomware families utilize the same I/O operations for file encryption queueing and use nearly identical command-line parameters for the same functionality.

There may be some similarities, but as they’ve explained and SpearTip has validated, there are two interesting differences that make the direct connection improbable.

Location Checks

Diavol ransomware does not prevent their payloads from running on Russian targets by doing a locale check. This is notable because most ransomware will avoid Russian systems.

Data Exfiltration

FortiGuard Labs explains in their analysis of Diavol that, “According to the note, the authors claim they stole data from the victim’s machine, though we did not find a sample that was capable of performing that. This is either a bluff or a placeholder for future capabilities.”

After SpearTip’s engineers conducted further investigations, the Diavol ransomware group does appear to be stealing data. Despite the absence of this capability in the ransomware executable, the group leverages tactics that enable the exfiltration of data from an environment that are particularly evasive.

SpearTip Analysis

The Diavol ransomware group uses an HTTP beacon for Cobalt Strike, which appears to be utilized to facilitate the data exfiltration. The beacon was named sysr.dll and was stored in a folder created by the threat actors. This network communication is exceptionally difficult to detect as well as the technique used by the beacon to inject into memory. It has been confirmed by SpearTip that the beacon had files removed and exfiltrated.

The image below shows the beacon running through a sandbox.

SpearTip Finds New Diavol Ransomware Does Steal Data

Through threat actor communication, SpearTip engineers confirmed that the Diavol group stole data and provided proof of data that was exfiltrated from several organizations. When our engineers investigated, we observed the utilization of the evasive Cobalt Strike’s HTTPS Beacon, which can be used to exfiltrate data.

The former Trickbot operators, previously target by law enforcement actions, have proven resilient and have integrated themselves into different ransomware groups over the past few years. Seeing traces of their activity and techniques within another ransomware group isn’t surprising. When assessing data exfiltration, it is always important to conduct a comprehensive investigation and to understand the evolution of the group tactics. These associations ensure accurate forensic reporting.

Original post @ https://www.speartip.com/resources/speartip-finds-new-diavol-ransomware-does-steal-data/

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

Share this…
SpearTip Finds New Diavol Ransomware Does Steal Data

Facebook

SpearTip Finds New Diavol Ransomware Does Steal Data

Twitter

SpearTip Finds New Diavol Ransomware Does Steal Data

Linkedin

Share this:


Share On


Notice: Undefined variable: canUpdate in /var/www/html/wordpress/wp-content/plugins/wp-autopost-pro/wp-autopost-function.php on line 51