Recent research from Trend Micro has revealed a new variant of the highly malicious AvosLocker ransomware. By exploiting unpatched security flaws, this ransomware evades detection by disabling antivirus solutions.
In order to fill the void left by REvil, AvosLocker is one of the newer ransomware families that has recently been found. That is why security analysts have linked it to a number of attacks in which it has targeted several critical infrastructures like financial and government institutions in the U.S.
Here’s what Trend Micro researchers, Christoper Ordonez and Alvin Nieto stated:-
“A legitimate Avast Anti-Rootkit Driver file (asWarPot.sys) is being used in this sample to disable a defense solution. This is the first time we’ve seen a U.S. strain using this feature.”
In the case of Zoho ManageEngine ADSelfService Plus (ADSS), it is suspected that this exploit is the entry point.
Since details of the attacker’s network traffic were not available, the experts were not able to pinpoint the exact CVE ID of the vulnerability the attacker exploited.
While apart from this, it appears that they abused CVE-2021-40539, a vulnerability that Synacktiv previously documented. Experts have observed a similar gap when creating JSP files (test.jsp), executing keytool.exe to run their Java code with “null” parameters, and creating crafted classes.
Tools & Functions
Here below we have mentioned all the tools used and their functions:-
- Netscan: To scan for other endpoints
- Nmap (log4shell.nse): To scan for Log4shell vulnerable endpoints
- Hacking tools Mimikatz and Impacket: For lateral movement
- PDQ deploy: For mass deployment of the malicious script to multiple endpoints
- Aswarpot.sys: For disabling defense solutions.
Here below we have mentioned all the processes that the routine searches on the infection:-
- Trend Micro Endpoint Basecamp
- Trend Micro Web Service Communicator
When targeted entities refuse to pay the ransom, AvosLocker auctions data stolen from them instead, essentially offering them extortion in exchange for data. It was first spotted in July 2021 as a RaaS affiliate group.
The Ransomware cartel has also reportedly claimed the following countries as the addresses of the victims of its ransomware attacks:-
- Saudi Arabia
- The U.A.E.
- The U.K.
In the batch file that was deployed, you can find the following commands:-
- Disable Windows Update and Microsoft Defender
- Prevents safeboot execution of security products
- Create new administrator account
- Add the AutoStart mechanism for the AvosLocker executable (update.exe)
- Disables legal notice caption
- Set safeboot with networking and disables Windows Error Recovery and reboot
The HTA was able to connect back to the C2 server and execute an obfuscated PowerShell script with a shellcode and execute arbitrary commands.
Using the process described above, an ASPX web shell, as well as an installation file for anyDesk remote desktop software, will be requested from the server.
Moreover, with help of this process, it deploys other tools such as scanning the local network, terminating security software, and dropping a ransomware payload.