{ "id": "3a0693f2-d6c8-4ac8-9901-493824a25f43", "created_at": "2026-04-06T00:11:34.898225Z", "updated_at": "2026-04-10T03:38:09.760447Z", "deleted_at": null, "sha1_hash": "c0f8625580e003c365e0873c28fd853572dfca24", "title": "Diavol resurfaces", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1575857, "plain_text": "Diavol resurfaces\r\nBy Jason Reaves\r\nPublished: 2022-09-30 · Archived: 2026-04-05 15:33:28 UTC\r\nBy: Jason Reaves and Jonathan McCay\r\nPress enter or click to view image in full size\r\nWe previously walked through the Diavol ransomware variants file encryption[1] which has been linked to the\r\nTrickBot group[2]. After the recent breakup[3,4], Diavol all but seemed to have disappeared. Curiously, we began\r\nto notice an uptick in samples submitted to VirusTotal. While investigating the more recent samples, we were able\r\nto determine that it uses a mix of RSA encryption and XOR encoding for files. In some instances, file recovery is\r\nstill possible.\r\nThe following samples were identified on VirusTotal:\r\nSHA256: aac969e36686f8f8517c111d30f8fb3b527988ebd31b3b762aec8d46e860eb9d\r\nCreation Time 2022-09-05 20:01:56 UTC\r\nFirst Submission 2022-09-09 21:06:06 UTC\r\nLast Submission 2022-09-13 15:50:00 UTC\r\nhttps://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922\r\nPage 1 of 7\n\nLast Analysis 2022-09-13 15:50:00 UTC\r\nSHA256: fb5ee29b98446d34520bf04a82996eefec3b5692710c5631458da63ef7e44fe4\r\nCreation Time 2022-09-05 20:04:30 UTC\r\nFirst Submission 2022-09-11 20:30:20 UTC\r\nLast Submission 2022-09-11 20:30:20 UTC\r\nLast Analysis 2022-09-11 20:30:20 UTC\r\nSHA256: 708806f5e2e8bfa3d1e911e391ff2ccf1edcac05cc1df80439b8b867253423df\r\nCreation Time 2022-08-25 16:12:58 UTC\r\nFirst Submission 2022-08-29 19:49:08 UTC\r\nLast Submission 2022-09-03 15:40:44 UTC\r\nLast Analysis 2022-09-03 15:40:44 UTC\r\nThe samples are now 64 bit but function similarly. For the purposes of this report we will be going through the\r\n7088 sample above. For the purposes of this report, we will be going through the 7088 sample above.\r\ngroup=test\r\nfile_ext=.bully\r\nnote_filename=WARNING.txt\r\nFile encryption still involves the use of a 2048 byte XOR key which is randomly generated in the GENBOTID\r\npiece of the main bot. The key is then stored in the main bot and reused later in the file encryption code. Then a\r\nloop will sit reading chunks of 2048 bytes unless the amount of data to be encoded is less than 2048:\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe first part of the file encryption is the aforementioned usage of the 2048 byte XOR key. For most files, the\r\namount of bytes that will be XOR encoded is based on the overall file size divided by 10. Then a loop will sit\r\nreading chunks of 2048 bytes unless the amount of data to be encoded is less than 2048:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922\r\nPage 2 of 7\n\nA similar XOR loop has been implemented, which can be seen in the previous version of Diavol[1]. The loop will\r\nhandle XOR encoding the chunk of data that was read before writing it back to the file:\r\nPress enter or click to view image in full size\r\nAfter XOR encoding the file, the RSA encrypted XOR key is written to the end of the file followed by the number\r\nof encoded bytes:\r\nhttps://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922\r\nPage 3 of 7\n\nNext the bot single XOR encodes the number of encoded bytes and writes that to the end of the file:\r\nPress enter or click to view image in full size\r\nAfter XOR encoding and writing the appropriate data to the end of the file, the bot goes back to the beginning of\r\nthe file and begins reading in chunks of 0x75 bytes. It will RSA encrypt them and the encrypted bytes are then\r\nwritten back to the file but without the padding bytes. In this way, 0x75 * 10 or 1170 bytes at the beginning of the\r\nfile will be RSA encrypted after getting XOR encoded.\r\nhttps://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922\r\nPage 4 of 7\n\nA quick test can be performed to validate our findings, using a file of NULLs and a large MSI file. First, we\r\nvalidate the end data that was added to the file, which should be 110+0x900+16 bytes from the end:\r\n\u003e\u003e\u003e data = open('test_data.txt.bully', 'rb').read()\r\n\u003e\u003e\u003e 110+0x900+16\r\n2430\r\n\u003e\u003e\u003e end = data[-2430:]\r\nSkipping over the RSA encrypted XOR key should show the two 8 byte values with the second being XOR\r\nencoded with 0xFF\r\n\u003e\u003e\u003e end[0x900:]\r\n'\\x88\\x13\\x00\\x00\\x00\\x00\\x00\\x00w\\xec\\xff\\xff\\xff\\xff\\xff\\xffk\\xa8\\x0f/6o\\x12\\x08\\xd6\\xbe\\xaaw\\xf1\\x\r\n\u003e\u003e\u003e 0x1388\r\nhttps://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922\r\nPage 5 of 7\n\n5000\r\n\u003e\u003e\u003e end[0x900+8:]\r\n'w\\xec\\xff\\xff\\xff\\xff\\xff\\xffk\\xa8\\x0f/6o\\x12\\x08\\xd6\\xbe\\xaaw\\xf1\\x1b0\\x1f\\x10\\x12\\x9b\\x12\\xcc?\\xf4\r\n\u003e\u003e\u003e l = bytearray('w\\xec')\r\n\u003e\u003e\u003e l[0] ^= 0xff\r\n\u003e\u003e\u003e l[1] ^= 0xff\r\n\u003e\u003e\u003e l\r\nbytearray(b'\\x88\\x13')\r\nSince the file is NULLs, the clear XOR key should be the first 2048 bytes after we skip over the 1170 RSA\r\nencrypted bytes at the beginning:\r\n\u003e\u003e\u003e key = bytearray(data[1170:1170+2048])\r\nWe can test this against another file, in this case an MSI:\r\n\u003e\u003e\u003e data2 = open('powerpointmui.msi.bully', 'rb').read()\r\n\u003e\u003e\u003e test_block = bytearray(data2[1170:])\r\n\u003e\u003e\u003e\r\n\u003e\u003e\u003e for i in range(len(test_block)):\r\n... test_block[i] ^= key[i%2048]\r\n...\r\n\u003e\u003e\u003e test_block[:10000]\r\nbytearray(b'\\xa4A(H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x\r\nsnip\r\n....\r\n02\\x00\\x00\\x12\\x00\\x00\\x000\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x1e\\x00\\x00\\x00\\x16\\x00\\x00\\x\r\n...snip...\r\nSo it is possible to recover most of each file trivially, after you recover the XOR key. The next step is to just\r\nrebuild the first 1170 bytes.\r\nIOCs\r\nEndpoint:\r\nWARNING.txt\r\nwarning.txt\r\n.bully4eb5bea255c0308b296f5aa259f68626\r\n88b41ba2d6b7cca40118de9007cf64a0e5cc9710\r\naac969e36686f8f8517c111d30f8fb3b527988ebd31b3b762aec8d46e860eb9dcba851aab28c4b52fb9f0c655d2c0c0e\r\n9697acfa83a31c2925b72f627c9be51346cf5dd0\r\nfb5ee29b98446d34520bf04a82996eefec3b5692710c5631458da63ef7e44fe4332c1a9146276bc9abc1161e13efabde\r\nhttps://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922\r\nPage 6 of 7\n\n6c366cd3b4a54f8e9f7ed6016aac9e7509b06102\r\n708806f5e2e8bfa3d1e911e391ff2ccf1edcac05cc1df80439b8b867253423df\r\nRansom Note:\r\nYou've been hacked. All your corporate network servers and workstations are encrypted.Your company is\r\nNetwork:\r\nhxxps://7ypnbv3snejqmgce4kbewwvym4cm5j6lkzf2hra2hyhtsvwjaxwipkyd[.]onion\r\n173.232[.]146[.]118\r\nReferences\r\n1: https://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648\r\n2: https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/\r\n3: https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works\r\n4: https://www.bleepingcomputer.com/news/security/conti-ransomware-shuts-down-operation-rebrands-into-smaller-units/\r\nSource: https://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922\r\nhttps://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922" ], "report_names": [ "diavol-resurfaces-91dd93c7d922" ], "threat_actors": [ { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434294, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c0f8625580e003c365e0873c28fd853572dfca24.pdf", "text": "https://archive.orkl.eu/c0f8625580e003c365e0873c28fd853572dfca24.txt", "img": "https://archive.orkl.eu/c0f8625580e003c365e0873c28fd853572dfca24.jpg" } }