AvosLocker Ransomware variant uses new trick to disable antivirus protection

Cybersecurity researchers have revealed a new variant of ransomware AvosLocker disable anti-virus solutions to avoid detection after compromising the target network by taking advantage of unpatched security flaws.

Trend Micro researchers Christoper Ordonez and Alvin Nieto said in an analysis Monday: “This is the first pattern we’ve observed from the United States with the ability to neutralize defenses by using use the legitimate Avast Anti-Rootkit Driver file (asWarPot.sys)” .

“Additionally, the ransomware is also capable of scanning multiple endpoints for Log4j (Log4shell) vulnerabilities using the Nmap NSE script.”

AvosLocker, one of the newer ransomware families to fill the void left by REvil, has been implicated in several attacks targeting critical infrastructure in the US, including financial services and key facilities government.

As a ransomware-as-a-service (RaaS)-based federation first discovered in July 2021, AvosLocker goes beyond double extortion by auctioning off data stolen from ransomware. multiplier if the targeted object refuses to pay the ransom.

Other targeted victims claimed by the ransomware group are believed to be in Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, UAE, UK, Canada, China and Taiwan, according to an advisory issued by the US Federal Bureau of Investigation. of the Bureau of Investigation (FBI) in March 2022.

Telemetry data collected by Trend Micro shows that the food and beverage sector was the most impacted industry from July 1, 2021 to February 28, 2022, followed by the technology vertical , finance, telecommunications and media.

The starting point for the attack is said to have been facilitated by exploiting a remote code execution vulnerability in Zoho’s ManageEngine ADSelfService Plus software (CVE-2021-40539) to run an HTML application (HTA). ) is hosted on the remote server.

“HTA executed a obfuscated PowerShell script containing a shellcode, capable of connecting back to [command-and-control] the researchers explained.

This includes retrieving the ASPX web shell from the server as well as the installer for the AnyDesk remote desktop software, which is used to deploy additional tools for local network scanning, termination security software and ransomware offloading.

Some of the components copied to the infected endpoint were an Nmap script that scans the network for Log4Shell remote code execution vulnerabilities (CVE-2021-44228) and a mass deployment tool called PDQ for distribution. malicious batch script to multiple endpoints.

For its part, the batch script is equipped with many capabilities that allow it to disable Windows Update, Windows Defender and Windows Error Recovery, in addition to preventing the secure boot execution of security products, creating an account new admin and launch the ransomware binary.

Also used was aswArPot.sys, a legitimate Avast anti-rootkit driver, to kill processes associated with various security solutions by weaponizing a now-fixed vulnerability. in the driver that the Czech company resolved in June 2021.

“The decision to select a specific rootkit driver file was because of its ability to execute in kernel mode (thus operating at high privileges),” the researchers point out. “This variant also has the ability to modify other details of installed security solutions, such as disabling legal notices.”

.