Sunday, September 8, 2024
Homecyber securityHackers Using Remote Admin Tools To Compromise Organizations With Ransomware

Hackers Using Remote Admin Tools To Compromise Organizations With Ransomware

Published on

Cybercriminals behind the AvosLocker ransomware attack employed a tactic of infecting organizations through Open-Source Remote Administration Tools.

This method allowed the malware to spread rapidly, potentially compromising sensitive data and systems across the affected networks.

The FBI found a new version of AvosLocker in May of 2023 during their investigations.

- Advertisement - EHA

AvosLocker Ransomware

AvosLocker is a RaaS (ransomware as a service) group that emerged in the middle of 2021. It has since gained notoriety for attacks on U.S. financial institutions, vital factories, and government buildings, all considered part of the country’s “critical infrastructure.”

Members of the AvosLocker group infiltrate corporate networks by masquerading as genuine software installers or by employing freely available remote system administration tools.

Affiliates of AvosLocker engage in extortion by threatening to leak or publicly disclose the stolen information obtained through data exfiltration.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

AvosLocker Affiliates:

  • Remote system administration tools—Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent—as backdoor access vectors [T1133]. 
  • Scripts to execute legitimate native Windows tools [T1047], such as PsExec and Nltest. 
  • Open-source networking tunneling tools [T1572] Ligolo[1] and Chisel[2]. 
  • Cobalt Strike and Sliver[3] for command and control (C2).
  • Lazagne and Mimikatz for harvesting credentials [T1555].
  • FileZilla and Rclone for data exfiltration.
  • Notepad++, RDP Scanner, and 7zip

The FBI developed the following YARA rule to detect the signature of a file known to be enabling malware, based on an analysis by a sophisticated digital forensics group.

NetMonitor.exe is a malware masquerading as a legitimate process and it has the appearance of a genuine network monitoring tool.

The network will get a ping from this persistence utility every five minutes. 

The software for NetMonitor is set up to talk to a specific IP address that acts as its command server through TCP port 443.

During an attack, the communication between NetMonitor and the command server is protected, and NetMonitor works like a reverse facilitator that lets attackers connect to the tool from outside the victim’s network.

The FBI and CISA suggest that companies take steps to protect their computer systems from AvosLocker ransomware attacks. This will help to prevent hackers from stealing important information and causing problems.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Latest articles

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...