Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

SpearTip Finds New Diavol Ransomware Does Steal Data

Security researchers have linked a new ransomware strain called Diavol to the Wizard Spider threat group behind the Trickbot botnet. BleepingComputer noted the ransomware families utilize the same I/O operations for file encryption queueing and use nearly identical command-line parameters for the same functionality. There may be some similarities, but as they’ve explained and SpearTip […]

Reynolds ransomware uses BYOVD to disable security before encryption ransomware

Security researchers have linked a new ransomware strain called Diavol to the Wizard Spider threat group behind the Trickbot botnet.

BleepingComputer noted the ransomware families utilize the same I/O operations for file encryption queueing and use nearly identical command-line parameters for the same functionality.

There may be some similarities, but as they’ve explained and SpearTip has validated, there are two interesting differences that make the direct connection improbable.

Location Checks

Diavol ransomware does not prevent their payloads from running on Russian targets by doing a locale check. This is notable because most ransomware will avoid Russian systems.

Data Exfiltration

FortiGuard Labs explains in their analysis of Diavol that, “According to the note, the authors claim they stole data from the victim’s machine, though we did not find a sample that was capable of performing that. This is either a bluff or a placeholder for future capabilities.”

After SpearTip’s engineers conducted further investigations, the Diavol ransomware group does appear to be stealing data. Despite the absence of this capability in the ransomware executable, the group leverages tactics that enable the exfiltration of data from an environment that are particularly evasive.

SpearTip Analysis

The Diavol ransomware group uses an HTTP beacon for Cobalt Strike, which appears to be utilized to facilitate the data exfiltration. The beacon was named sysr.dll and was stored in a folder created by the threat actors. This network communication is exceptionally difficult to detect as well as the technique used by the beacon to inject into memory. It has been confirmed by SpearTip that the beacon had files removed and exfiltrated.

The image below shows the beacon running through a sandbox.

Through threat actor communication, SpearTip engineers confirmed that the Diavol group stole data and provided proof of data that was exfiltrated from several organizations. When our engineers investigated, we observed the utilization of the evasive Cobalt Strike’s HTTPS Beacon, which can be used to exfiltrate data.

The former Trickbot operators, previously target by law enforcement actions, have proven resilient and have integrated themselves into different ransomware groups over the past few years. Seeing traces of their activity and techniques within another ransomware group isn’t surprising. When assessing data exfiltration, it is always important to conduct a comprehensive investigation and to understand the evolution of the group tactics. These associations ensure accurate forensic reporting.

Original post @ https://www.speartip.com/resources/speartip-finds-new-diavol-ransomware-does-steal-data/

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

[adrotate banner=”5″]

[adrotate banner=”13″]