Beneath the Surface: AvosLocker's Ransomware-as-a-Service and Cybercrime Tactics
Research and Analysis • Oct 25, 2023
We use cookies to improve your experience. Do you accept?
Research and Analysis • Oct 25, 2023
Origin: June 2021
Aliases: None
Targeted Sectors: Manufacturing, Financial Services, Government, Automotive, Trucking, Healthcare, Hospitality, Education, Retail
Targeted Regions: The U.S., Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the U.K, Canada, China, Taiwan
Motive: Financial gain
Common Infection Vectors: Spam, Phishing, Zero-day and other vulnerabilities
AvosLocker, a ransomware strain that emerged following the absence of REvil, was initially detected in late June of 2021 and its operators have subsequently introduced various iterations since then. Over the period, they seized the opportunity to expand their ranks, enlisting additional team members and Initial Access Brokers (IABs). AvosLocker affiliates practice double extortion tactics, and, operating as a Ransomware-as-a-Service (RaaS) model, AvosLocker selectively targets organizations capable of meeting the ransom demands.
AvosLocker mostly targets critical infrastructure across the U.S., with incidents also documented in countries like Canada, the U.K, and Spain. It has been able to gradually establish itself as a notable threat, while also prompting the FBI to issue a warning against its activities.
AvosLocker is a multi-threaded Windows executable written in C++. It began its voyage into the cybercrime world by targeting Windows systems and, roughly six months later, it introduced a Linux variant capable of targeting ESXi virtual machines. Around the same time, the ransomware evolved to run in Safe Mode, more so because endpoint security products do not run in that mode.
AvosLocker operates as a console application, displaying a log of actions performed on victim systems. The ransomware supports optional command line arguments to enable or disable certain features, providing flexibility to the attacker. Besides, it creates a mutex object as an infection marker to prevent the system from getting infected twice.
AvosLocker affiliates use a number of legitimate software and open-source tools during their intrusions to conduct data exfiltration-based extortion.
For initial access, AvosLocker affiliates use remote system administration tools such as Splashtop Streamer, Tactical RMM, SoftPerfect Network Scanner, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent for backdoor access.
They use custom PowerShell scripts to enable privilege escalation and lateral movement, and also to disable installed antivirus solutions. They also used custom .bat scripts in some scenarios.
Also, the affiliates have used legitimate Windows tools, such as PsExec and Nltest in their execution.
Custom webshells are put to work to enable network access and maintain persistence.
Furthemore, criminals leverage open-source applications Lazagne and Mimikatz to pilfer credentials, and used FileZilla and Rclone for data exfiltration.
Experts have witnessed the use of open-source networking tunneling tools like Ligolo and Chisel in AvosLocker's operatoins.
Other publicly available tools that the affiliates have used are Notepad++, RDP Scanner, and 7-Zip.
Before encryption, the ransomware scans accessible drives and enumerates files in directories. It then encrypts these files and appends specific file extensions such as ".avos," ".avos2," or "AvosLinux" to the encrypted files.
The encryption process utilizes RSA AES-256 to encrypt files and the ChaCha20 algorithm to encrypt encryption-related information, with claims of being one of the fastest ransomware variants available. File inclusion for encryption is determined by the file extensions.
In every directory where files are encrypted, AvosLocker creates a ransom note named "GET_YOUR_FILES_BACK.txt." This note contains instructions for the victim on how to recover their files. In some cases, the text from the ransom note ("GET_YOUR_FILES_BACK.txt") is reproduced on the desktop wallpaper of infected servers.
AvosLocker follows the double extortion model, compelling victims to pay for both a decryptor and the non-disclosure of stolen data. With the introduction of its RaaS service, AvosLocker established a Tor-based blog to name non-compliant victims and expose their stolen data. Hence, the operators have a public leak site separate from the ransom negotiation site. They list non-paying victims along with a sample of data allegedly stolen from victims' networks. Visitors to this site can view a sample of victim data and even purchase victim data.
In some cases, AvosLocker victims receive phone calls from representatives of the ransomware operators. These callers encourage victims to visit the Tor site to negotiate and may threaten to post stolen data online. Additionally, AvosLocker operators may threaten and execute DDoS attacks during negotiations to further pressurize the victims.
The intrusion methods are mostly dependent on the expertise of the AvosLocker affiliate responsible for infiltrating the network of a victim. Meanwhile, affiliates have leveraged known vulnerabilities in Microsoft Exchange, including CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, CVE-2021-31207, ProxyLogon vulnerabilities (CVE-2021-26855 and CVE-2021-27065. The affiliates have also been observed abusing zero-day vulnerabilities to target victims, which is a common characteristic of advanced ransomware groups.
In June 2022, cybercriminals exploited Log4j (CVE-2021-44228), a zero-day critical vulnerability found in the Apache Log4j 2 Java-based logging library. The same month, it was spotted abusing the OGNL injection vulnerability (CVE-2022-26134) affecting Atlassian Confluence Server and Data Center instances for initial access to corporate networks.
Some AvosLocker affiliates exploited a high-risk vulnerability related to Apache Log4j (CVE-2021-45046) as well.
The attackers have migrated their infrastructure to hosts running on legitimate public hosting services, making it challenging to detect and mitigate their operations. Additionally, the ransomware strain manipulates file uploads to evade security checks, potentially achieving remote code execution for complete system compromise. The ransomware also possesses mechanisms to evade sandbox detection and perform lateral movement.
Multiple U.S. critical infrastructure organizations across industries—including government, financial services, and critical manufacturing—have been targeted by the AvosLocker RaaS operation. As per the leak site claims, its affiliates have targeted organizations in Syria, Saudi
Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the U.K, Canada, China, and Taiwan.
With respect to sectors, the criminals predominantly target industrial, commercial, and SMB entities, with a focus on industries such as automotive, trucking, banking sector, healthcare, hospitality, education, and retail.
By February 2022, there were over 60 different victims mentioned in AvosLocker’s leak site. Some publicly disclosed victims of AvosLocker are Pacific City Bank, GIGABYTE Technology, Christus Health, Savannah College of Art and Design (SCAD), Bluefield University, and more.
Besides basic safety practices, some of the top recommendations coming from the FBI and the CISA are:
Secure remote access tools by implementing application controls to manage and control the execution of software, including allowlisting remote access programs
Strictly limit the use of RDP and other remote desktop services.
Restrict the use of PowerShell, using Group Policy, and only grant access to specific users on a case-by-case basis.
It's advised to configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations, making administrator privileges mandatory.
Other than that, it is recommended to maintain offline backups of an organization's critical data, while also having a backup recovery plan in place. This would help retain multiple copies of sensitive data and servers in physically separate locations.
Furthermore, security teams must leverage advanced threat intelligence platforms to automatically enrich, analyze, and operationalize threat intel around ransomware threats such as AvosLocker to proactively mitigate the threat.
With Cyware’s collaborate platform, security teams can also automatically share, receive, store, and manage threat detections including SIEM rules files, YARA Rules, Sigma Rules, log sources, Suricata, Snort Rules (and more), analytics files such as CAR, Automated playbooks, and MITRE ATT&CK data and lower their threat detection time.
To date, the AvosLocker ransomware group continues to expand its arsenal with more legitimate and malicious tools. Its affiliates use a variety of tools, including PowerShell and open-source software, to infiltrate and persist on networks and exfiltrate data. To safeguard systems, organizations and individuals must adhere to the joint Cybersecurity Advisory (CSA) issued by the FBI and the CISA, to be cognizant of known IOCs, TTPs, and detection methods associated with the AvosLocker.
MD5
829f2233a1cd77e9ec7de98596cd8165
6ebd7d7473f0ace3f52c483389cab93f
10ef090d2f4c8001faadb0a833d60089
8227af68552198a2d42de51cded2ce60
9d0b3796d1d174080cdfdbd4064bea3a
af31b5a572b3208f81dbf42f6c143f99
1892bd45671f17e9f7f63d3ed15e348e
cc68eaf36cb90c08308ad0ca3abc17c1
646dc0b7335cffb671ae3dfd1ebefe47
609a925fd253e82c80262bad31637f19
c6a667619fff6cf44f447868d8edd681
3222c60b10e5a7c3158fd1cb3f513640
90ce10d9aca909a8d2524bc265ef2fa4
44a3561fb9e877a2841de36a3698abc0
5cb3f10db11e1795c49ec6273c52b5f1
44a3561fb9e877a2841de36a3698abc0
122ea6581a36f14ab5ab65475370107e
c82d7be7afdc9f3a0e474f019fb7b0f7
e09183041930f37a38d0a776a63aa673
d3cafcd46dea26c39dec17ca132e5138
f659d1d15d2e0f3bd87379f8e88c6b42
afed45cd85a191fe3b2543e3ae6aa811
31f8eedc2d82f69ccc726e012416ce33
a39b4bea47c4d123f8195a3ffb638a1b
504bd1695de326bc533fde29b8a69319
eb45ff7ea2ccdcceb2e7e14f9cc01397
d285f1366d0d4fdae0b558db690497ea
cf0c2513b6e074267484d204a1653222
SHA1
2d1ce0231cf8ff967c36bbfc931f3807ddba765c
05c63ce49129f768d31c4bdb62ef5fb53eb41b54
6f110f251860a7f6757853181417e19c28841eb4
9c8f5c136590a08a3103ba3e988073cfd5779519
e8c26db068914df2083512ff8b24a2cc803ea498
dab33aaf01322e88f79ffddcbc95d1ad9ad97374
e60ef891027ac1dade9562f8b1de866186338da1
67f0c8d81aefcfc5943b31d695972194ac15e9f2
2f3273e5b6739b844fe33f7310476afb971956dd
f6f94e2f49cd64a9590963ef3852e135e2b8deba
SHA 256
e68f9c3314beee640cc32f08a8532aa8dcda613543c54a83680c21d7cd4 9ca0f
48dd7d519dbb67b7a2bb2747729fc46e5832c30cafe15f76c1dbe3a249e 5e731
ad5fd10aa2dc82731f3885553763dfd4548651ef3e28c69f77ad035166d 63db7
cdca6936b880ab4559d3d96101e38f0cf58b87d07b0c7bf708d078c2bf209460
0cd7b6ea8857ce827180342a1c955e79c3336a6cf2000244e5cfd4279c5fc1b6
10ab76cd6d6b50d26fde5fe54e8d80fceeb744de8dbafddff470939fac6a98c4
e9a7b43acdddc3d2101995a2e2072381449054a7d8d381e6dc6ed64153c9c96a e737c901b80ad9ed2cd800fec7c2554178c8afab196fb55a0df36acda1324721
cdca6936b880ab4559d3d96101e38f0cf58b87d07b0c7bf708d078c2bf209460
7c935dcd672c4854495f41008120288e8e1c144089f1f06a23bd0a0f52a544b1
a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749
43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856
7731a9e1e5fff9d912b1d238dcd92c2ba671a5ea55441bb7f14b05ed40039ce1
794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81
a58864dd006f0528f890c9e000e660f65ffe041ebd2bcb45903fb0228321cfb2
05ba2df0033e3cd5b987d66b6de545df439d338a20165c0ba96cde8a74e463e5
c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02
6584cd273625ee121e330a981cc04e1f1d312356c9cccdb62932ea7aad53a731 da6e60b4e39c6c556836a18a09a52cd83c47f9cf6dc9e3ad298cbcb925a62a96
373a791f058539d72983e38ebe68e98132fcf996d04e9a181145f22a96689386
fc55f8b61cb79f2b85b8bf35ff1b80f49fc61a860aca7729f35449df4928cd9b
0c50992b87ba354a256dfe4356ffa98c8bc5dd231dab0a4dc64413741edb739b 5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e
be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70
33203ecb5c34c45dacf64c42c3a24cd4aeb2ceb26b0c58ba97fc8f33319da91b
3b58516758466c8129c4899f07e1e50ca98d913f7c13665aa446c75325b7c5d8
Files and Tools
psscriptpolicytest_im2hdxqi.g0k .ps1
psscriptpolicytest_lysyd03n.o10 .ps1
psscriptpolicytest_1bokrh3l.2nw .ps1
psscriptpolicytest_nvuxllhd.fs4 .ps1
psscriptpolicytest_2by2p21u.4ej .ps1
psscriptpolicytest_te5sbsfv.new .ps1
psscriptpolicytest_v3etgbxw.bmm .ps1
psscriptpolicytest_fqa24ixq.dtc .ps1
psscriptpolicytest_jzjombgn.sol .ps1
psscriptpolicytest_rdm5qyy1.phg .ps1
psscriptpolicytest_endvm2zz.qlp .ps1
psscriptpolicytest_s1mgcgdk.25n .ps1
psscriptpolicytest_xnjvzu5o.fta .ps1
psscriptpolicytest_satzbifj.oli .ps1
psscriptpolicytest_grjck50v.nyg .ps1
psscriptpolicytest_0bybivfe.x1t .ps1
psscriptpolicytest_bzoicrns.kat .ps1
BEACON.PS1
Encoded PowerShell script
PowerShell backdoor
Email Address
keishagrey994@outlook[.]com
Virtual Currency Wallets
a6dedd35ad745641c52d6a9f8da1fb09101d152f01b4b0e85a64d21c2a0845ee
bfacebcafff00b94ad2bff96b718a416c353a4ae223aa47d4202cdbc31e09c92
418748c1862627cf91e829c64df9440d19f67f8a7628471d4b3a6cc5696944dd
bc1qn0u8un00nl6uz6uqrw7p50rg86gjrx492jkwfn
YARA Rule
rule NetMonitor
{
meta:
author = "FBI"
source = "FBI"
sharing = "TLP:CLEAR"
status = "RELEASED"
description = "Yara rule to detect NetMonitor.exe"
category = "MALWARE"
creation_date = "2023-05-05"
strings:
$rc4key = {11 4b 8c dd 65 74 22 c3}
$op0 = {c6 [3] 00 00 05 c6 [3] 00 00 07 83 [3] 00 00 05 0f 85 [4] 83 [3] 00
00 01 75 ?? 8b [2] 4c 8d [2] 4c 8d [3] 00 00 48 8d [3] 00 00 48 8d [3] 00 00 48
89 [3] 48 89 ?? e8}
condition:
uint16(0) == 0x5A4D
and filesize < 50000
and any of them
}
Initial Access
Technique Title : External Remote Services
ID : T1133
Use : AvosLocker affiliates use remote system administration tools—Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent—to access
backdoor access vectors.
Execution
Technique Title : Command and Scripting Interpreter (PowerShell)
ID : T1059.001
Use : AvosLocker affiliates use custom PowerShell scripts to enable privilege escalation, lateral movement, and to disable antivirus.
Technique Title : Command and Scripting Interpreter (Windows Command Shell)
ID : T1059.003
Use : AvosLocker affiliates use custom .bat scripts to enable privilege escalation, lateral movement, and to disable antivirus.
Technique Title : Windows Management Instrumentation
ID : T1047
Use : AvosLocker affiliates use legitimate Windows tools, such as PsExec and Nltest in their execution.
Persistence
Technique Title : Server Software Component
ID : T1505.003
Use : AvosLocker affiliates have uploaded and used custom webshells to enable network access.
Credential Access
Technique Title: Credentials from Password Stores
ID : T1555
Use : AvosLocker affiliates use open-source applications Lazagne and Mimikatz to steal credentials from system stores.
Command and Control
Technique Title : Protocol Tunneling
ID : T1572
Use : AvosLocker affiliates use open source networking tunneling tools like Ligolo and Chisel.