研究者はTrickBot開発者をDiavolランサムウェアとリンクさせました

ヘルガ・スミス七月 5, 2021最終更新: 七月 5, 2021

32 2 分を読んだ

Fortinet specialists published a 報告, in which they argue that the creators of the well-known malware TrickBot (this hack group is usually called the Wizard Spider) may be involved in the development of a new Diavol ransomware.

Payloads of ransomware Diavol and Conti were deployed on various systems in early June 2021. It is noted that these ransomware are very similar and have a lot in common, from using asynchronous I/O operations during file encryption, 同じ機能にほぼ同じコマンドラインパラメータを使用する (例えば, ログの作成, ディスクとネットワークリソースの暗号化, scanning a network).

しかしながら, experts still could not find a direct connection between the Diavol ransomware and the authors of TrickBot, moreover, 彼らは多くの重要な違いを見つけました. 例えば, Diavol does not have built-in checks that prevent payload from being triggered on systems in Russia and CIS countries. さらに, the new malware does not steal data before encryption.

The parameters used by the attackers, along with errors in the hard-coded configuration, hint that Diavol is a new tool in the arsenal of its operators, to which they are not yet fully accustomed.研究者は書いています.

その間, the other day Kryptos Logic announced that it had found changes in the code of the TrickBot malware itself. 専門家によると, since June 2021, TrickBot has been launching a new module on infected machines containing an updated version of the old banking component that tries to steal e-banking login credentials.

This component has been rewritten and now includes new methods for injecting malicious code into bank websites. Experts suggest that the new code is copied from the old Zeus banker: injections work by proxying traffic through a local SOCKS server. If online banking login pages are encountered in traffic, the traffic is modified to steal credentials or perform other malicious actions. It is assumed that in this way the developers of TrickBot are trying to compete with other banking Trojans and entice some of their customers.

TrickBot is one of the largest and most successful malware threats to date. マルウェアは最初に発見されました 2015, Dyreハッキンググループの構成を大幅に変更した一連の注目を集める逮捕の直後.

長年にわたって, マルウェアは、銀行口座から資金を盗むように設計された従来のバンキング型トロイの木馬から、他の脅威を拡散する多機能ドロッパーに進化しました。 (鉱夫からランサムウェアや情報スティーラーまで).

TrickBotとDiavolランサムウェア

の秋に 2020, A large-scale operation was carried out aimed at eliminating TrickBot. 法執行機関が出席しました, MicrosoftDefenderチームのスペシャリスト, 非営利団体FS-ISAC, ESETと同様, ルーメン, NTTとSymantec.

その時, many experts フォーティネット that although Microsoft was able to disable the TrickBot infrastructure, ほとんどの場合、ボットネットは “生き延びる” そして最終的には、そのオペレーターは新しい制御サーバーを運用し、活動を継続します. 不運にも, this is exactly what happened.

私もその事実について話したことを思い出させてください MountLocker ランサムウェアは Windows API を使用してネットワークをナビゲートします.

タグ