| Category | Details |
|---|---|
| Threat Actors | Likely linked to the TrickBot group (ITG23), a well-known cybercrime Syndicate behind TrickBot malware, Ryuk, and Conti. |
| Campaign Overview | Development and evolution of Diavol ransomware; observed in early testing and active versions targeting victims for encryption and botnet registration. |
| Target Regions | Indications of preference for Russian and CIS regions in early versions; possible targeting of global victims in active versions. |
| Methodology | – Encrypts files using RSA. – Prioritizes files based on extensions. – Terminates processes and services. – Connects to C2 for botnet registration. |
| Product Targeted | Windows systems (various versions). |
| Malware Reference | Diavol ransomware (development sample MD5: e63a532d42b44ff73c1e1d4bda018657, active sample SHA256: 85ec7f5ec91adf7c104c7e116511ac5e7945bcf4a8fdecdcc581e97d8525c5ac). |
| Tools Used | TrickBot modular platform, CryptoAPI for encryption, configuration stored in PE overlay. |
| Vulnerabilities Exploited | Exploits unsecured remote access protocols (e.g., RDP) and weak configurations to gain entry. |
| TTPs | – Encrypts files with high priority. – Terminates processes/services. – Botnet registration with unique Bot IDs. |
| Attribution | Ties to TrickBot due to similarities in botnet registration methods, HTTP header preferences, and group ID usage. |
| Recommendations | – Use offline backups stored securely. – Implement MFA on all remote access. – Employ user behavior analytics. – Limit RDP access. |
| Source | Security Intelligence |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply