Recent research from Trend Micro has revealed a new variant of the highly malicious AvosLocker ransomware. By exploiting unpatched security flaws, this ransomware evades detection by disabling antivirus solutions.
In order to fill the void left by REvil, AvosLocker is one of the newer ransomware families that has recently been found. That is why security analysts have linked it to a number of attacks in which it has targeted several critical infrastructures like financial and government institutions in the U.S.
Here’s what Trend Micro researchers, Christoper Ordonez and Alvin Nieto stated:-
“A legitimate Avast Anti-Rootkit Driver file (asWarPot.sys) is being used in this sample to disable a defense solution. This is the first time we’ve seen a U.S. strain using this feature.”
In the case of Zoho ManageEngine ADSelfService Plus (ADSS), it is suspected that this exploit is the entry point.
Since details of the attacker’s network traffic were not available, the experts were not able to pinpoint the exact CVE ID of the vulnerability the attacker exploited.
While apart from this, it appears that they abused CVE-2021-40539, a vulnerability that Synacktiv previously documented. Experts have observed a similar gap when creating JSP files (test.jsp), executing keytool.exe to run their Java code with “null” parameters, and creating crafted classes.
Here below we have mentioned all the tools used and their functions:-
Here below we have mentioned all the processes that the routine searches on the infection:-
When targeted entities refuse to pay the ransom, AvosLocker auctions data stolen from them instead, essentially offering them extortion in exchange for data. It was first spotted in July 2021 as a RaaS affiliate group.
The Ransomware cartel has also reportedly claimed the following countries as the addresses of the victims of its ransomware attacks:-
In the batch file that was deployed, you can find the following commands:-
The HTA was able to connect back to the C2 server and execute an obfuscated PowerShell script with a shellcode and execute arbitrary commands.
Using the process described above, an ASPX web shell, as well as an installation file for anyDesk remote desktop software, will be requested from the server.
Moreover, with help of this process, it deploys other tools such as scanning the local network, terminating security software, and dropping a ransomware payload.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…