Dangerous New Diavol Ransomware
Overview
The SonicWall Capture Labs threat research team has recently observed a new variant of Diavol ransomware. The ransomware executes its malicious activities by utilizing bitmap objects containing binary code and paired JPEG objects containing the DLL names and associated API strings.
Infection Cycle
When beginning execution, the ransomware checks for the presence of a DWORD value from its .SHARDAT section. If the identified DWORD value is determined to be zero, the ransomware proceeds with its malicious operations. The ransomware increments the aforementioned DWORD value to one, indicating the start of its activity.
Conversely, if the DWORD value is already set to one, the ransomware promptly terminates its execution without initiating any malicious operations.
This method allows the ransomware to execute only once on the system.
Figure 1: DWORD values check
Using VirtualAlloc API, it allocates two memory buffers with read, write and execute (RWX) permissions with the intention of subsequently loading shellcode into these allocated memory regions. Next, it checks for any command line parameters that are passed to the executable.
It supports the parameters below:
- “-p”: Path to a file containing files/directories to be encrypted
- “-h”: Path to a file containing remote files/directories
- “-m”: Mode
- local: Encrypts local drives
- net: Encrypts network drives
- scan: Scan and encrypts network shares
- all: Encrypts local and network drives
- -log”: Path to a log file
Even if there are no arguments passed, it is still able to successfully encrypt the files locally. Next, it calls time64 to get the current time on the system and uses it as the seed for the srand function to initialize the pseudo-random number generator.
Figure 2: srand function
The ransomware hides its different tasks that are to be performed in bitmaps, which are kept in the PE resource section. Before it runs each task, it copies the binary code from the bitmap to a memory buffer allocated earlier. The imports used by each task are also stored in the resource section under “JPEG” with the same names as the bitmaps.
Figure 3: Resource section containing bitmap objects
The ransomware uses the GENBOTID routine to create a unique identifier for the victim’s system. It calls LoadBitmapW, CreateCompatibleDC, SelectObject and GetObjectW. After that, it calls GetDIBits to retrieve the bits of the bitmap image and copy them into the memory buffer as a DIB.
Figure 4: GENBOTID’s bitmap Image and its corresponding binary view
Once the binary code of the GENBOTID bitmap is loaded into the memory, it loads the corresponding name resource file into memory using the FindResource and LoadResource APIs.
Figure 5: GENBOTID’s resource section
The resource file contains the names of the DLLs and the APIs that are to be used in the routine. This helps the ransomware avoid walking the PEB structure to resolve its imports dynamically. It manually calls the LoadLibrary and GetProcAddress APIs which are present in the resource file, and the resolved API addresses are stored at the end of the buffer. It generates the bot id in the format below:
<computer_name> + <username> + “_W” + <OS version in hex> + “.” + <random_GUID_bytes in hex>
Figure 6: BotID
It then builds the content of the POST request as seen below:
cid=<bot_ID>&group=<group_ID>&ip_local1=111.111.111.111&ip_local2=222.222.222.222&ip_external=2.16.7.12.
Figure 7: POST request
It has a hardcoded list of the service names to be stopped from running on the victim’s system.
Figure 8
List of Service names:
[DefWatch”, “ccEvtMgr”, “ccSetMgr”, “SavRoam”, “dbsrv12”, “sqlservr”, “sqlagent”, “Intuit.QuickBooks.FCS”, “dbeng8”, “QBIDPService”, “Culserver”, “RTVscan”, “vmware-usbarbitator64”, “vmware-converter”, “VMAuthdService”, “VMnetDHCP”, “VMUSBArbService”, “VMwareHostd”, “SQLADHLP”, “msmdsrv”, “tomcat6”, “QBCFMonitorService”, “Acronis VSS Provider”, “SQL Backups”, “SQLsafe Backup Service”, “SQLsafe Filter Service”, “Symantec System Recovery”, “Veeam Backup Catalog Data Service”, “Zoolz 2 Service”, “AcrSch2Svc”, “ARSM”, “BackupExecAgentAccelerator”, “BackupExecAgentBrowser”, “BackupExecDeviceMediaService”, “BackupExecJobEngine”, “BackupExecManagementService”, “BackupExecRPCService”, “BackupExecVSSProvider”, “bedbg”, “MMS”, “mozyprobackup”, “ntrtscan”, “PDVFSService”, “SDRSVC”, “SNAC”, “SQLWriter”, “VeeamBackupSvc”, “VeeamBrokerSvc”, “VeeamCatalogSvc”, “VeeamCloudSvc”, “VeeamDeploymentService”, “VeeamDeploySvc”, “VeeamEnterpriseManagerSvc”, “VeeamHvIntegrationSvc”, “VeeamMountSvc”, “VeeamNFSSvc”, “VeeamRESTSvc”, “VeeamTransportSvc”, “sms_site_sql_backup”, “MsDtsServer”, “MsDtsServer100”, “MsDtsServer110”, “msftesql$PROD”, “MSOLAP$SQL_2008”, “MSOLAP$SYSTEM_BGC”, “MSOLAP$TPS”, “MSOLAP$TPSAMA”, “MSSQL$BKUPEXEC”, “MSSQL$ECWDB2”, “MSSQL$PRACTICEMGT”, “MSSQL$PRACTTICEBGC”, “MSSQL$PROD”, “MSSQL$PROFXENGAGEMENT”, “MSSQL$SBSMONITORING”, “MSSQL$SHAREPOINT”, “MSSQL$SQL_2008”, “MSSQL$SQLEXPRESS”, “MSSQL$SYSTEM_BGC”, “MSSQL$TPS”, “MSSQL$TPSAMA”, “MSSQL$VEEAMSQL2008R2”, “MSSQL$VEEAMSQL2012”, “MSSQLFDLauncher”, “MSSQLFDLauncher$PROFXENGAGEMENT”, “MSSQLFDLauncher$SBSMONITORING”, “MSSQLFDLauncher$SHAREPOINT”, “MSSQLFDLauncher$SQL_2008”, “MSSQLFDLauncher$SYSTEM_BGC”, “MSSQLFDLauncher$TPS”, “MSSQLFDLauncher$TPSAMA”, “MSSQLSERVER”, “MSSQLServerADHelper”, “MSSQLServerADHelper100”, “MSSQLServerOLAPService”, “MySQL57”, “MySQL80”, “OracleClientCache80”, “ReportServer$SQL_2008”, “RESvc”, “SQLAgent$BKUPEXEC”, “SQLAgent$CITRIX_METAFRAME”, “SQLAgent$CXDB”, “SQLAgent$ECWDB2”, “SQLAgent$PRACTTICEBGC”, “SQLAgent$PRACTTICEMGT”, “SQLAgent$PROD”, “SQLAgent$PROFXENGAGEMENT”, “SQLAgent$SBSMONITORING”, “SQLAgent$SHAREPOINT”, “SQLAgent$SQL_2008”, “SQLAgent$SQLEXPRESS”, “SQLAgent$SYSTEM_BGC”, “SQLAgent$TPS”, “SQLAgent$TPSAMA”, “SQLAgent$VEEAMSQL2008R2”, “SQLAgent$VEEAMSQL2012”, “SQLBrowser”, “SQLSafeOLRService”, “SQLSERVERAGENT”, “SQLTELEMETRY”, “SQLTELEMETRY$ECWDB2”, “mssql$vim_sqlexp”, “IISAdmin”, “NetMsmqActivator”, “POP3Svc”, “SstpSvc”, “UI0Detect”, “W3Svc”, “aphidmonitorservice”, “intel(r) proset monitoring service”, “unistoresvc_1af40a”, “audioendpointbuilder”, “MSExchangeES”, “MSExchangeIS”, “MSExchangeMGMT”, “MSExchangeMTA”, “MSExchangeSA”, “MSExchangeSRS”, “msexchangeadtopology”, “msexchangeimap4”, “Sophos Agent”, “Sophos AutoUpdate Service”, “Sophos Clean Service”, “Sophos Device Control Service”, “Sophos File Scanner Service”, “Sophos Health Service”, “Sophos MCS Agent”, “Sophos MCS Client”, “Sophos Message Router”, “Sophos Safestore Service”, “Sophos System Protection Service”, “Sophos Web Control Service”, “AcronisAgent”, “Antivirus”, “AVP”, “DCAgent”, “EhttpSrv”, “ekrn”, “EPSecurityService”, “EPUpdateService”, “EsgShKernel”, “ESHASRV”, “FA_Scheduler”, “IMAP4Svc”, “KAVFS”, “KAVFSGT”, “kavfsslp”, “klnagent”, “macmnsvc”, “masvc”, “MBAMService”, “MBEndpointAgent”, “McAfeeEngineService”, “McAfeeFramework”, “McAfeeFrameworkMcAfeeFramework”, “McShield”, “McTaskManager”, “mfefire”, “mfemms”, “mfevtp”, “MSSQL$SOPHOS”, “sacsvr”, “SAVAdminService”, “SAVService”, “SepMasterService”, “ShMonitor”, “Smcinst”, “SmcService”, “SntpService”, “sophossps”, “SQLAgent$SOPHsvcGenericHost”, “swi_filter”, “swi_service”, “swi_update”, “swi_update_64”, “TmCCSF”, “tmlisten”, “TrueKey”, “TrueKeyScheduler”, “TrueKeyServiceHelWRSVC”, “vapiendpoint”]
Similar to the services name list, it also has a list of processes to be terminated if found running on the system.
Process name list:
[“iexplore.exe”, “msedge.exe”, “chrome.exe”, “opera.exe”, “firefox.exe”, “savfmsesp.exe”, “zoolz.exe”, “firefoxconfig.exe”, “tbirdconfig.exe”, “thunderbird.exe”, “agntsvc.exe”, “dbeng50.exe”, “dbsnmp.exe”, “isqlplussvc.exe”, “msaccess.exe”, “msftesql.exe”, “mydesktopqos.exe”, “mydesktopservice.exe”, “mysqld-nt.exe”, “mysqld-opt.exe”, “mysqld.exe”, “ocautoupds.exe”, “ocssd.exe”, “oracle.exe”, “sqlagent.exe”, “synctime.exe”, “thebat.exe”, “thebat64.exe”, “encsvc.exe”, “ocomm.exe”, “xfssvccon.exe”, “excel.exe”, “infopath.exe”, “mspub.exe”, “onenote.exe”, “outlook.exe”, “powerpnt.exe”, “visio.exe”, “wordpad.exe”, “CNTAoSMgr.exe”, “mbamtray.exe”, “NtrtscPccNTMon.exe”, “tmlisten.exe”, “sqlmangr.exe”, “RAgui.exe”, “QBCFMonitorService.exe”, “supervise.exe”, “fdhost.exe”, “Culture.exe”, “RTVscan.exe”, “Defwatch.exe”, “wxServerView.exe”, “GDscan.exe”, “QBW32.exe”, “QBDBMgr.exe”, “qbupdate.exe”, “axlbridge.exe”, “360se.exe”, “360doctor.exe”, “QBIDPService.exe”, “wxServer.exe”, “httpd.exe”, “fdlauncher.exe”, “MsDtSrvr.exe”, “tomcat6.exe”, “java.exe”, “wdswfsafe.exe”]
For enumerating the disk, it uses GetLogicalDriveStringsW to get the list of all drives on the system. The drive letters are then converted into lowercase, and only those drives that are DRIVE_REMOTE or DRIVE_FIXED are processed.
Figure 9: Checking drive type
It also checks whether the drives are present in the exclusion list. The default list of the path is:
*.exe,*.sys,*.dll,*.lock64,*readme_for_decrypt,*locker.txt,*unlocker.txt,%WINDIR%\,%PROGRAMFILES%\,%PROGRAMW6432%\,*\Microsoft\,*\Windows\,*\Program Files*\,%TEMP%\.
Figure 10: Checking for the exclusion path
The encrypted files names are appended with a .lock64 extension and the file README_FOR_DECRYPT.txt is created in that directory.
Figure 11
Figure 12: Ransomware note
It also changes the wallpaper.
Figure 13: Ransomware wallpaper
Once the process is completed, it deletes itself.
Figure 14: Command for self-deletion
SonicWall Protections:
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: DiavolCrypt.RSM (Trojan)