Cybersecurity researchers have disclosed a brand new variant of the AvosLocker ransomware that disables antivirus options to evade detection after breaching goal networks by profiting from unpatched safety flaws.
“This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys),” Trend Micro researchers, Christoper Ordonez and Alvin Nieto, mentioned in a Monday evaluation.
“In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability (Log4shell) using Nmap NSE script.”
AvosLocker, one of many newer ransomware households to fill the vacuum left by REvil, has been linked to plenty of assaults that focused essential infrastructure within the U.S., together with monetary companies and authorities services.
A ransomware-as-a-service (RaaS) affiliate-based group first noticed in July 2021, AvosLocker goes past double extortion by auctioning data stolen from victims ought to the focused entities refuse to pay the ransom.
Other focused victims claimed by the ransomware cartel are mentioned to be situated in Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the U.A.E., the U.Okay., Canada, China, and Taiwan, in accordance with an advisory launched by the U.S. Federal Bureau of Investigation (FBI) in March 2022.
Telemetry data gathered by Trend Micro reveals that the meals and beverage sector was probably the most hit trade between July 1, 2021 and February 28, 2022, adopted by expertise, finance, telecom, and media verticals.
The entry level for the assault is believed to have been facilitated by leveraging an exploit for a distant code execution flaw in Zoho’s ManageEngine ADSelfService Plus software program (CVE-2021-40539) to run an HTML utility (HTA) hosted on a distant server.
“The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the [command-and-control] server to execute arbitrary commands,” the researchers defined.
This consists of retrieving an ASPX internet shell from the server in addition to an installer for the AnyDesk distant desktop software program, the latter of which is used to deploy extra instruments to scan the native community, terminate safety software program, and drop the ransomware payload.
Some of the elements copied to the contaminated endpoint are a Nmap script to scan the community for the Log4Shell distant code execution flaw (CVE-2021-44228) and a mass deployment instrument referred to as PDQ to ship a malicious batch script to a number of endpoints.
The batch script, for its half, is supplied with a variety of capabilities that permits it to disable Windows Update, Windows Defender, and Windows Error Recovery, along with stopping protected boot execution of safety merchandise, creating a brand new admin account, and launching the ransomware binary.
Also used is aswArPot.sys, a reputable Avast anti-rootkit driver, to kill processes related to totally different safety options by weaponizing a now-fixed vulnerability within the driver the Czech firm resolved in June 2021.
“The decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege),” the researchers identified. “This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice.”