Recently, IBM X-Force Threat Intelligence studied different versions of the Diavol ransomware whose code configuration hinted at a possible link to the TrickBot group.
The research provides a comparison between two different versions of Diavol. One version was detected and recently analyzed by IBM X-Force and the other version was spotted by Fortinet in July.
While Fortinet discovered a full and weaponized version of the ransomware, the sample analyzed by IBM was in a development stage that was believed to be used for testing.
The ransomware sample identified by X-Force had a reported compilation date of March 5, 2020. A year later on January 27, it was submitted to VirusTotal with a filename malware[.]exe.
The compilation time and PDB paths were different between the two versions. The under-development sample was compiled on March 5, while the active sample was compiled on April 30.
Connection with TrickBot
One of the strong pieces of evidence is a Bot ID. It was in the same format as created by both TrickBot and Anchor DNS.
Additionally, TrickBot has been observed using group and campaign IDs, which are used by Diavol as well. These unique IDs are used to keep a track of multiple infection campaigns.
In the early stage, a Diavol sample’s HTTP headers for C2 communication were configured to prioritize Russian language content, which is the language used by the attackers behind TrickBot.
Moreover, a previous report claimed that Diavol did not include any language checks to stop the ransomware from running on Russian victims, another common tactic followed by the TrickBot group.
However, in the under-development sample of Diavol, there were some indications suggesting that the code for such checks could exist or may be developed in the future.
Cybercrime groups are now collaborating and sharing their infrastructure for increased success. The recently discovered connection between Diavol and Trickbot is a prime example of it. Sharing threat intelligence between organizations can be a good way to stop such threats.