[MART] - Daily Diary #329 - Another Evidence Links Diavol to Trickbot

CTAS-MAT ctas-mat at appgate.com
Wed Aug 18 21:52:17 UTC 2021 

Hello,

I hope everyone is doing well!

Below is the entry for today.

08/18/2021 - Diary entry #329:


Covered in our Daily Diary #299, Diavol is a new ransomware strain, being deployed by Trickbot on the same network as Conti Ransomware, on different systems in the same attack. Diavol's focus is to encrypt files using an RSA encryption algorithm, prioritizing file types to encrypt based on a pre-configured list of extensions.


Now, a different and older sample was discovered, having many similarities with the first one. The main difference is that this sample is more like a development version probably used for testing. Analysis showed that it encrypts files using an RSA encryption key and it can terminate processes, services and wipe files.


On its initial execution, it gathers information about the infected machine and generate a specific formatted Bot ID, almost identical to the Trickbot malware. The Bot ID and Campaign ID can help threat actors to track the success of a campaign of different affiliates, on multiple targets. Therefore, this specific Bot formatting and the malware functionalities are a strong evidence that links to the group responsible for the initial deployment: Trickbot, developed by the Russian APT group Wizard Spider.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210818/c60da879/attachment.htm>

More information about the MART mailing list