Araştırmacılar, TrickBot geliştiricilerini Diavol fidye yazılımıyla ilişkilendirdi
Fortinet specialists published a rapor, in which they argue that the creators of the well-known malware TrickBot (this hack group is usually called the Wizard Spider) may be involved in the development of a new Diavol ransomware.
Payloads of ransomware Diavol and Conti were deployed on various systems in early June 2021. It is noted that these ransomware are very similar and have a lot in common, from using asynchronous I/O operations during file encryption, to using almost identical command line parameters for the same functions (Örneğin, creating logs, encrypting disks and network resources, scanning a network).
ancak, experts still could not find a direct connection between the Diavol ransomware and the authors of TrickBot, moreover, they found a number of important differences. Örneğin, Diavol does not have built-in checks that prevent payload from being triggered on systems in Russia and CIS countries. Ayrıca, the new malware does not steal data before encryption.
o esnada, the other day Kryptos Logic announced that it had found changes in the code of the TrickBot malware itself. Uzmanlara göre, since June 2021, TrickBot has been launching a new module on infected machines containing an updated version of the old banking component that tries to steal e-banking login credentials.
This component has been rewritten and now includes new methods for injecting malicious code into bank websites. Experts suggest that the new code is copied from the old Zeus banker: injections work by proxying traffic through a local SOCKS server. If online banking login pages are encountered in traffic, the traffic is modified to steal credentials or perform other malicious actions. It is assumed that in this way the developers of TrickBot are trying to compete with other banking Trojans and entice some of their customers.
TrickBot is one of the largest and most successful malware threats to date. Kötü amaçlı yazılım ilk kez tekrar görüldü 2015, Dyre hack grubunun yapısını önemli ölçüde değiştiren bir dizi yüksek profilli tutuklamadan kısa bir süre sonra.
Yıllar sonra, kötü amaçlı yazılım, banka hesaplarından para çalmak için tasarlanmış klasik bir bankacılık Truva Atı'ndan, diğer tehditleri yayan çok işlevli bir damlalığa dönüşmüştür. (madencilerden fidye yazılımlarına ve bilgi hırsızlarına).
sonbaharında 2020, a large-scale operation was carried out aimed at eliminating TrickBot. Emniyet teşkilatları katıldı, Microsoft Defender ekibinden uzmanlar, kar amacı gütmeyen kuruluş FS-ISAC, ESET'in yanı sıra, Lümen, NTT ve Symantec.
O zaman, many experts Cyclops Blink'in birkaç model için tasarlanmış özel bir modülü vardır. that although Microsoft was able to disable the TrickBot infrastructure, büyük ihtimalle botnet “hayatta kalmak” ve sonunda operatörleri yeni kontrol sunucularını devreye alacak ve faaliyetlerine devam edecekler.. ne yazık ki, this is exactly what happened.
Şu gerçeği de konuştuğumu hatırlatmama izin verin. MountLocker fidye yazılımı, ağda gezinmek için Windows API'sini kullanır.