Researchers linked TrickBot developers with Diavol ransomware

Fortinet specialists published a รายงาน, in which they argue that the creators of the well-known malware TrickBot (this hack group is usually called the Wizard Spider) may be involved in the development of a new Diavol ransomware.

Payloads of ransomware Diavol and Conti were deployed on various systems in early June 2021. It is noted that these ransomware are very similar and have a lot in common, from using asynchronous I/O operations during file encryption, to using almost identical command line parameters for the same functions (ตัวอย่างเช่น, creating logs, encrypting disks and network resources, scanning a network).

อย่างไรก็ตาม, experts still could not find a direct connection between the Diavol ransomware and the authors of TrickBot, moreover, they found a number of important differences. ตัวอย่างเช่น, Diavol does not have built-in checks that prevent payload from being triggered on systems in Russia and CIS countries. อีกด้วย, the new malware does not steal data before encryption.

The parameters used by the attackers, along with errors in the hard-coded configuration, hint that Diavol is a new tool in the arsenal of its operators, to which they are not yet fully accustomed.นักวิจัยเขียน.

ในขณะเดียวกัน, the other day Kryptos Logic announced that it had found changes in the code of the TrickBot malware itself. ตามที่ผู้เชี่ยวชาญ, since June 2021, TrickBot has been launching a new module on infected machines containing an updated version of the old banking component that tries to steal e-banking login credentials.

This component has been rewritten and now includes new methods for injecting malicious code into bank websites. Experts suggest that the new code is copied from the old Zeus banker: injections work by proxying traffic through a local SOCKS server. If online banking login pages are encountered in traffic, the traffic is modified to steal credentials or perform other malicious actions. It is assumed that in this way the developers of TrickBot are trying to compete with other banking Trojans and entice some of their customers.

TrickBot is one of the largest and most successful malware threats to date. Malware was first spotted back in 2015, shortly after a series of high-profile arrests that significantly changed the composition of the Dyre hack group.

นานนับปี, malware has evolved from a classic banking Trojan designed to steal funds from bank accounts to a multifunctional dropper that spreads other threats (from miners to ransomware and info-stealers).

TrickBot and Diavol ransomware

In the fall of 2020, ก large-scale operation was carried out aimed at eliminating TrickBot. It was attended by law enforcement agencies, specialists from the Microsoft Defender team, the non-profit organization FS-ISAC, as well as ESET, Lumen, NTT and Symantec.

At that time, many experts wrote that although Microsoft was able to disable the TrickBot infrastructure, most likely the botnet willsurviveand eventually its operators will put into operation new control servers and continue their activity. น่าเสียดาย, this is exactly what happened.

Let me remind you that I also talked about the fact that MountLocker ransomware uses Windows API to navigate the network.

เฮลก้า สมิธ

ฉันสนใจวิทยาการคอมพิวเตอร์มาโดยตลอด, โดยเฉพาะความปลอดภัยของข้อมูลและธีม, ซึ่งเรียกกันในปัจจุบันว่า "วิทยาศาสตร์ข้อมูล", ตั้งแต่วัยรุ่นตอนต้นของฉัน. ก่อนจะมาอยู่ในทีมกำจัดไวรัสในตำแหน่งหัวหน้าบรรณาธิการ, ฉันทำงานเป็นผู้เชี่ยวชาญด้านความปลอดภัยทางไซเบอร์ในหลายบริษัท, รวมถึงหนึ่งในผู้รับเหมาของ Amazon. ประสบการณ์อื่น: ฉันได้สอนในมหาวิทยาลัยอาร์เดนและรีดดิ้ง.

ทิ้งคำตอบไว้

เว็บไซต์นี้ใช้ Akismet เพื่อลดสแปม. เรียนรู้วิธีประมวลผลข้อมูลความคิดเห็นของคุณ.

ปุ่มกลับไปด้านบน