Diavol the Enigma of Ransomware
By: Jason Reaves and Joshua Platt
Diavol ransomware was first publicly reported by Fortinet in July 2021 [1]. The posting included a technical analysis of the file that was allegedly dropped from a previous engagement in June 2021. According to the blog, the Diavol variant was found along side a Conti (v3) sample, which had also been spread during the same attack. In a follow-up article by IBM-Xforce, the researchers concluded a stronger link existed between the development of Diavol and the operators behind Trickbot malware.
While multiple samples have been found in the wild, they appear to contain development artifacts. It was clear the locker was utilized but there was no mention of a leak site and nothing had been identified publicly. After analyzing the binary, we spotted some interesting infrastructure and began to investigate. The domain name enigma-hq[.]net stood out and was associated with ‘195.123.221[.]248’. According to passive DNS records an update had occurred and enigma-hq[.]net was changed to diavol-news[.]net:
The HTML revealed a TOR mirror along with the web mirror pointing to ‘diavol-news[.]net’:
<input type="text" id="blogpostsearch-search" class="search" name="BlogPostSearch[search]" placeholder="Search"><p class="help-block help-block-error"></p><button type="submit"><i class="fa fa-search"></i></button>
</form>
</div>
</div><div class="col-md-4 search_fix">
<div class="row">
<div class="col-md-4">
<a class="pull-left" href="https://xhtnringfhbflc6d.onion" ref="noopener noreferrer">Tor mirror</a> </div>
<div class="col-md-4">
<a class="pull-center" href="https://diavol-news.net" ref="noopener noreferrer">Web mirror</a> </div>
</div>
</div>
</div>
</div>
Technical Overview
Diavol comes with an interesting assortment of code blocks onboard to accomplish various tasks:
The BITMAP objects contain the code while the JPEG objects contain the imports that need to be resolved.
The objects were previously detailed in the Fortinet blog but here is an overview from our own analysis of a recent sample:
There is two interesting pieces that we discovered from our analysis, one is that because of the way VSSMOD works you can plug and play various ways to wipe shadow copies and the other is the way file encryption works.
Shadow copies
For one of the samples we analyzed the shadow copies were wiped using WinAPI which doesn’t appear to be used very often by ransomware:
After calling CreateVssBackupComponents you can use the IVssBackupComponents class [5] which can then be leveraged to delete snapshots.
Encryption
File encryption in Diavol is interesting, it has a routine for decoding the onboard RSA public key and importing it before encrypting the key that will be used to encrypt the files. The file encryption key is 2048 bytes long and is randomly generated however the encryption is simply XORing the files in chunks of 2048:
Since the file encryption key is being used across multiple files and is simply a XOR operation we can abuse known plaintext vulnerabilities to recover files.
A = ClearText
B = EncryptedFile1
C = EncryptedFile2key = A[:2048] ^ B[:2048]
DecodedFileChunk = key[:2048] ^ C[:2048]
We can test this using files from a sandbox run [6] along with a random MSI file which has a semi static first chunk of bytes, it won’t be a clean decrypt by any means but would prove out our hypothesis:
>>> clear= open(‘a4ce1d7dfc5ab1fdee8cd0eb97d19c88a04deb8fe6b7b58413a9e2c93eb4a79d.msi’, ‘rb’).read()
>>> b = bytearray(open(‘powerpointmui.msi.lock64’, ‘rb’).read())
>>> c = open(‘sharepointdesignermui.msi.lock64’, ‘rb’).read()
>>> key= bytearray(a[:2048])
>>> for i in range(len(test)):
… test[i] ^= b[i]
…
>>> temp = bytearray(c)
>>> for i in range(len(temp)):
… temp[i] ^= test[i%len(test)]
>>> temp[:5000]
bytearray(b’\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00>\x00\x03\x00\xfe\xff\t\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x03\x00\x00\x00\x06\x00\x00\x00v\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf5\x01\x00\x00\xf4\x00\x00\x00\xf3\x03\x00\x00\xf2\x00\x00\x00\xf1\x01\x00\x00\xf0\x00\x00\x00\xef\x07\x00\x00\xee\x00\x00\x00\xed\x01\x00\x00\x12\x00\x00\x00\xeb\x03\x00\x00\xea\x00\x00\x00\xe9\x01\x00\x00\xe8\x00\x00\x00\xe7\x0f\x00\x00\xe6\x00\x00\x00\xe5\x01\x00\x00\xe4\x00\x00\x00\xe3\x03\x00\x00\xe2\x00\x00\x00\xe1\x01\x00\x00\xe0\x00\x00\x00\xdf\x07\x00\x00\xde\x00\x00\x00\xdd\x01\x00\x00!\x00\x00\x00\’\xf2\xff\xff%\x00\x00\x00&\x00\x00\x00\’\x00\x00\x00(\x00\x00\x00)\x00\x00\x00*\x00\x00\x00+\x00\x00\x00,\x00\x00\x00-\x00\x00\x00.\x00\x00\x00/\x00\x00\x000\x00\x00\x001\x00\x00\x002\x00\x00\x003\x00\x00\x004\x00\x00\x005\x00\x00\x006\x00\x00\x007\x00\x00\x008\x00\x00\x009\x00\x00\x00:\x00\x00\x00;\x00\x00
<..snip..>
%\x00\x00\x00&\x00\x00\x00\’\x00\x00\x00(\x00\x00\x00)\x80\x00\x00*\x00\x00\x00+\x00\x00\x00,\x80\x00\x00-\x00\x00\x00.\x00\x01\x00/\x80\x00\x000\x00\x00\x00=\x00\x02\x01\x12\x00\x00\x007\x80\x00\x00\xcb\x7f\xff\xff5\x00\x00\x006\x00\x00\x007\x00\x00\x008\x00\x00\x009\x00\x00\x00:\x00\x00\x00\xfe\xff\xff\xff<\x00\x01\x00\xfe\x7f\xff\xff\xfe\x7f\xff\xff\xbf\x06\x00\x00@\x00\x00\x00\x01H??5\xc5lD)>\xb2D\xd1\xb7\xff\xff\xfe\xff\xff\xff\xfe\xff\xff\xffG\x00\x00\x00H\x00\x00\x00I\x00\x00\x00J\x00\x00\x00K\x00\x00\x00L\x00\x00\x00M\x00\x00\x00\xfe\xff\xff\xffO\x00\x00\x00P\x00\x00\x00\xee\xff\xfd\xfeU\x00\x00\x00\xac\xff\xff\xff\xab\xff\xff\xffU\x00\x00\x00V\x00\x00\x00W\x00\x00\x00X\x00\x00\x00Y\x00\x00\x00Z\x00\x00\x00[\x00\x00\x00\\\x00\x00\x00]\x00\x00\x00\xfb\xc7\xfc\xff\xd4_\x00\x00`\x00\x01\x00!\xc8??\x15\xc5lD\t;\xe4E@H\x00\x00e\x00\x00\x00f\x00\x00\x00g\x00\x00\x00h\x00\x00\x00i\x00\x00\x00j\x00\x00\x00k\x00\x00\x00l\x00\x00\x00m\x00\x00\x00n\x00\x00\x00o\x00\x00\x00\xfe\xff\xff\xffa\x00\x02\x00\x8d\xff\xff\xff\x01\x00\x00\x00\x8b\xff\xff\xff\xfe\xff\xff\xffv\x00\x00\x00w\x00\x00\x00x\x00\x00\x00y\x00\x00\x00z\x00\x00\x00{\x00\x00\x00|\x00\x00\x00}\x00\x00\x00E\xb7\x00\x00\x85~\x01\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8c\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xfe\x7f\x00\x00\x04\x00\x00\x00\x88\xff\xff\xff\x03\x00\xff\xff\xff\x7f\x00\x00\x89\x00\x00\x00\xf5\x00\x00\x00\x8b\x01\x00\x00\x0c\x02\x00\x00r\x02\x00\x00\x0e\x03\x00\x00p\x03 \x00\x10\x84\xff\xff\x91\xfb\x00\x00\x12\x05\x00\x00o\x05\xff\xff\x14\xfa\x00\x00\x95\x06\x00\x00\xe9\x06\x00\x00\x97\x07\x00\x00\xe7\x07\xff\x7f\x99\x88\x00\x00\xe5\x08\x00\x00\x9b\t\xff\x7f\xe3\x89\x00\x00\x9d\n\x00\x00\xe1\n\x00\x00\x9f\x0b\x00\x00\xdf\x0b\x00\x00\xa1\x0c\x00\x00\xdd\x0c\x00\x00\\\r\x00\x00\xdb\xff\xff\xff\xda\xff\xff\xff\xd9\xff\xff\xff\xd8\xff\xff\xff\xd7\xff\xff\xff\xd6\xff\xff\xff\xd5\xff\xff\xff\xd4\xff\x00\x80\xd3\x7f\xff\xff\xd2\xff\xff\xff\xd1\xff\x00\x80\xd0\x7f\xff\xff\xcf\xff\xff\xff\xce\xff\x00\x80\xcd\x7f\xff\xff\xcc\xff\xff\xff\xcb\xff\xff\xff\xca\xff\x00\x006\x00\x00\x80\xc8\x7f\xff\xff\xc7\xff\xff\xff\xc6\xff\xff\xff\xc5\xff\xff\xff\xc4\xff\xff\xff\xc3\xff\xff\xff\xc2\xff\xff\xff\xc1\xff\xff\xff\xc0\xff\x00\x00@\x00\x00\x80\xbe\x7f\xff\xff\xbd\xff\xff\xff\xbc\xff\xff\xff\xbb\xff\x00\x00E\x00\xff\xff\xb9\xff\xff\xff\xb8\xff\xff\xff\xb7\xff\xff\xff\xb6\xff\xff\xff\xb5\xff\xff\xff\xb4\xff\xff\xff\xb3\xff\xff\xff\xb2\xff\xff\xff\xb1\xff\xff\xff\xb0\xff\xff\xff\xaf\xff\xff\xff\xae\xff\xff\xff\xad\xff\xff\xff\xac\xff\xff\xff\xab\xff\xff\xff\xaa\xff\xff\xff\xa9\xff\xff\xff\xa8\xff\xff\xff\xa7\xff\xff\xff\xa6\xff\xff\xff\xa5\xff\xff\xff\xa4\xff\xff\xff\xa3\xff\xff\xff\xa2\xff\xff\xff\xa1\xff\xff\xff\xa0\xff\xff\xff\x9f\xff\xff\xff\x9e\xff\x00\x80\x9d\x7f\xff\xff\x9c\xff\x00\x80\x9b\x7f\x00\x00e\x00\xff<..snip..>
\xff7\xffh\xff\xb4\xff\xff\xff\xb7\xff\x8b\xff\xb6\xff\xff\xff\xb1\xffh\xff)\xff\xff\xff\xb3\xff\x8b\xff\xc6\xff\x8b\xff\xad\xff\xff\xff\xac\xff\xff\xff\xaf\xff\xff\xff\xae\xff\xff\xff\xa9\xff\xff\xff\xa8\xff\xd2\xffh\xff<\xff\xaa\xff\xff\xff\xa5\xff<\xffg\xff\xff\xff\xa7\xff\xff\xffe\xff<\xff\xa1\xff\xff\xff\xa0\xff\xff\xff\xa3\xff\xc3\xff\x8f\xff\x8b\xff\xe9\xff\xff\xff\x9c\xff\xd2\xff\xeb\xff\xff\xff’)
It appears to have worked and since the file encryption key is generated on a per infection basis we simply only need to abuse this technique to recover 2048 bytes once in order to then recover all the files on the system.
References
1: https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider
2: https://heimdalsecurity.com/blog/is-diavol-ransomware-connected-to-wizard-spider/
3: https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/
5: https://docs.microsoft.com/en-us/windows/win32/api/vsbackup/nl-vsbackup-ivssbackupcomponents
6: https://app.any.run/tasks/27db4430-59e5-48c5-8191-f3491f13b3c4#
