Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws.
“This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys),” Trend Micro researchers, Christoper Ordonez and Alvin Nieto, said in a Monday analysis.
“In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability (Log4shell) using Nmap NSE script. “
AvosLocker is one of several ransomware families that has been associated with a variety of attacks on critical infrastructures in the U.S. including government buildings and financial services.
A ransomware-as-a-service (RaaS) affiliate-based group first spotted in July 2021, AvosLocker goes beyond double extortion by auctioning data stolen from victims should the targeted entities refuse to pay the ransom.
Other targeted victims claimed by the ransomware cartel are said to be located in Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the U.A.E., the U.K., Canada, China, and Taiwan, according to an advisory released by the U.S. Federal Bureau of Investigation (FBI) in March 2022.
Telemetry data gathered by Trend Micro shows that the food and beverage sector was the most hit industry between July 1, 2021 and February 28, 2022, followed by technology, finance, telecom, and media verticals.
The entry point for the attack is believed to have been facilitated by leveraging an exploit for a remote code execution flaw in Zoho’s ManageEngine ADSelfService Plus software (CVE-2021-40539) to run an HTML application (HTA) hosted on a remote server.
” The HTA executed an opaque PowerShell script, which contained a shellcode capable of connecting back at the [command-and-control] server in order to execute arbitrary command,” researchers said.
This includes retrieving an ASPX Web Shell from the server and an installer for AnyDesk Remote Desktop Software. The latter is used to deploy additional tools, scan the local network, end security software, or drop ransomware.
Some of the components copied to the infected endpoint are a Nmap script to scan the network for the Log4Shell remote code execution flaw (CVE-2021-44228) and a mass deployment tool called PDQ to deliver a malicious batch script to multiple endpoints.
The batch script has a broad range of capabilities. It can disable Windows Update and Windows Defender and Windows Error Recovery. Additionally, it prevents safe boot execution, creates a new administrator account and launches the ransomware binary.
Also used is aswArPot.sys, a legitimate Avast anti-rootkit driver, to kill processes associated with different security solutions by weaponizing a now-fixed vulnerability in the driver the Czech company resolved in June 2021.
” The researchers stated that the rootkit driver files were chosen for their ability to run in kernel mode, which means they can operate at high privileges. This variant can also modify other security settings, including disabling legal notice. “