company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Trickbot

Diavol

ransomware

loading..
loading..
loading..

Trickbot Gang linked to new Ransomware Diavol

Trickbot network expands its domain by introducing another ransomware, "Diavol," which uses Asynchronous procedure calls as its Payload method

06-Jul-2021
3 min read

Cybercriminals behind the notorious Trickbot malware has recently been associated with "Diavol" - a new variant of ransomware that has surged research in that domain.

The new strain was first identified by the security researchers of FortiGuard Labs when the company's FortiEDR product obstructed it on one of its customer's systems. Two ransomware payloads were deployed on different systems resulting in an unsuccessful attack in early Jun 2021.

Diavol-ransomware-Tor-site

One of these payloads appeared to be a [Conti ransomware](https://en.wikipedia.org/wiki/Conti_(ransomware), while the other was entirely unknown. Researchers have dubbed this unknown payload as Diavol.

According to researchers, as a segment of a unique encryption strategy, Diavol functions using user-made Asynchronous Procedure calls (**APCs that don't have symmetric encryption procedures.

Diavol was deployed concurrently with the Conti ransomware, and this helped the researchers to discover some correlation between them. They found out that Diavol uses many similar command line parameters used by Conti.

Some researchers have discovered a link between Diavol and Egregor ransomware as some lines in the ransom note were reused and a potential connection between Wizard Spider and Twisted Spyder. 'Although it is not reliable and no conclusions can be made,' they said.

trickbot

'The source of intrusion is still unknown,' Fortinet said. The payload used by the operators points to the fact that Diavol is still new, and even its operators are not entirely familiar with it.

Trickbot is a banking trojan initially identified in 2016 infamous for theft of bank details and financial credentials; the operators have recently expanded its capabilities to affect multiple domains. In recent years the operators of Trickbot started attacking corporate networks by switching between the Ryuk and Conti Ransomware.

Despite the strict restrictions and actions to counter-attack the bot network, the continuously evolving malware (Trickbot) has persisted by quickly adapting new strategies to conduct further attacks.