Tuesday, February 11, 2025
HomeCyber Security NewsAvosLocker Ransomware Uses Driver Files to Disable Anti-Virus Solutions

AvosLocker Ransomware Uses Driver Files to Disable Anti-Virus Solutions

Published on

SIEM as a Service

Follow Us on Google News

Recent research from Trend Micro has revealed a new variant of the highly malicious AvosLocker ransomware. By exploiting unpatched security flaws, this ransomware evades detection by disabling antivirus solutions.

In order to fill the void left by REvil, AvosLocker is one of the newer ransomware families that has recently been found. That is why security analysts have linked it to a number of attacks in which it has targeted several critical infrastructures like financial and government institutions in the U.S.

Here’s what Trend Micro researchers, Christoper Ordonez and Alvin Nieto stated:-

“A legitimate Avast Anti-Rootkit Driver file (asWarPot.sys) is being used in this sample to disable a defense solution. This is the first time we’ve seen a U.S. strain using this feature.”

Infection Chain

In the case of Zoho ManageEngine ADSelfService Plus (ADSS), it is suspected that this exploit is the entry point.

Since details of the attacker’s network traffic were not available, the experts were not able to pinpoint the exact CVE ID of the vulnerability the attacker exploited. 

While apart from this, it appears that they abused CVE-2021-40539, a vulnerability that Synacktiv previously documented. Experts have observed a similar gap when creating JSP files (test.jsp), executing keytool.exe to run their Java code with “null” parameters, and creating crafted classes.

Tools & Functions

Here below we have mentioned all the tools used and their functions:-

  • Netscan: To scan for other endpoints
  • Nmap (log4shell.nse): To scan for Log4shell vulnerable endpoints
  • Hacking tools Mimikatz and Impacket: For lateral movement
  • PDQ deploy: For mass deployment of the malicious script to multiple endpoints
  • Aswarpot.sys: For disabling defense solutions.

Processes

Here below we have mentioned all the processes that the routine searches on the infection:-

  • EndpointBasecamp.exe
  • Trend Micro Endpoint Basecamp
  • ResponseService.exe
  • PccNTMon.exe
  • SupportConnector.exe
  • AOTAgent.exe
  • CETASvc.exe
  • CETASvc
  • iVPAgent.exe
  • tmwscsvc.exe
  • TMResponse
  • AOTAgentSvc
  • TMBMServer
  • iVPAgent
  • Trend Micro Web Service Communicator
  • Tmccsf
  • Tmlisten
  • Ntrtscan
  • TmWSCSvc

Countries Targeted

When targeted entities refuse to pay the ransom, AvosLocker auctions data stolen from them instead, essentially offering them extortion in exchange for data. It was first spotted in July 2021 as a RaaS affiliate group.

The Ransomware cartel has also reportedly claimed the following countries as the addresses of the victims of its ransomware attacks:-

  • Syria
  • Saudi Arabia
  • Germany
  • Spain
  • Belgium
  • Turkey
  • The U.A.E.
  • The U.K.
  • Canada
  • China
  • Taiwan

Commands Used

In the batch file that was deployed, you can find the following commands:-

  • Disable Windows Update and Microsoft Defender
  • Prevents safeboot execution of security products
  • Create new administrator account
  • Add the AutoStart mechanism for the AvosLocker executable (update.exe)
  • Disables legal notice caption
  • Set safeboot with networking and disables Windows Error Recovery and reboot

The HTA was able to connect back to the C2 server and execute an obfuscated PowerShell script with a shellcode and execute arbitrary commands.

Using the process described above, an ASPX web shell, as well as an installation file for anyDesk remote desktop software, will be requested from the server.

Moreover, with help of this process, it deploys other tools such as scanning the local network, terminating security software, and dropping a ransomware payload.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

12,000+ KerioControl Firewalls Exposed to 1-Click RCE Attack

Cybersecurity researchers caution that over 12,000 instances of GFI KerioControl firewalls remain unpatched and...

Apple iOS 0-day Vulnerability Exploited Wild in Extremely Sophisticated Attack

Apple has released emergency security updates to address a zero-day vulnerability, CVE-2025-24200, that has...

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

A recent analysis of over one million malware samples by Picus Security has revealed...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

12,000+ KerioControl Firewalls Exposed to 1-Click RCE Attack

Cybersecurity researchers caution that over 12,000 instances of GFI KerioControl firewalls remain unpatched and...

Apple iOS 0-day Vulnerability Exploited Wild in Extremely Sophisticated Attack

Apple has released emergency security updates to address a zero-day vulnerability, CVE-2025-24200, that has...

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...