Keypoints
- AvosLocker operated as a Ransomware-as-a-Service (double extortion) and ceased observable activity after May 2023.
- Initial access vectors included exploiting ProxyShell and other public-facing vulnerabilities (e.g., Zoho ManageEngine), plus compromised RDP/VPN credentials.
- Before encryption, AvosLocker terminated business applications, deleted shadow copies, disabled recovery options, and cleared Windows event logs to prevent restoration and hide activity.
- The ransomware enumerated drives (local, removable, network), skipped many system/program files and extensions, then encrypted files with AES-CBC and embedded an RSA-encrypted AES key, renaming files to extensions like .avos2/.avoslinux.
- AvosLocker affiliates used NetMonitor as a persistent backdoor (installed as a service) that communicated to hardcoded C2s with an RC4-encrypted binary protocol and supported remote command/reverse-proxy functionality.
- String obfuscation (ADVObfuscator) and runtime decoding hindered analysis; the malware provides command-line options and prints debug/encryption stats for operators.
- Operators hosted payment and data-leak sites as Tor .onion services to pressure victims; Zscaler ThreatLabz published multiple IOCs including hashes, onion domains, and C2 IPs.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to gain initial access by “exploiting ProxyShell vulnerabilities, like CVE-2021-34473” and other server flaws.
- [T1078] Valid Accounts – Initial access via “compromised RDP and VPN accounts” to move into victim networks.
- [T1543] Create or Modify System Process – NetMonitor establishes persistence “after being installed as a system service” under names like ‘NetAppTcp’ and ‘WazuhWinSrv’.
- [T1486] Data Encrypted for Impact – The malware encrypts files using “AES in CBC mode with a randomly generated AES key” and protects keys with a 2,048-bit RSA public key.
- [T1490] Inhibit System Recovery – AvosLocker deletes backups and disables recovery with commands such as “‘wmic shadowcopy delete /nointeractive’” and “‘bcdedit /set {default} recoveryenabled No’”.
- [T1083] File and Directory Discovery – The ransomware “enumerates all drives (e.g., fixed, removable, and network shares)” to build the encryption target list.
- [T1070.001] Clear Windows Event Logs – The actor clears logs to hide activity using PowerShell: ‘Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }’.
Indicators of Compromise
- [File hashes] AvosLocker sample hashes – 1076a979c6a7633ee3a4884d738452c5, 1330887fe501036aff6ed443340e9405, and 18 more hashes.
- [Onion domains] Payment and leak sites (Tor) – avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion, avos2fuj6olp6x36.onion (payment); avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion, avos53nnmi4u6amh.onion (data leak).
- [C2 IP addresses] NetMonitor/command servers – 194.213.18.138:443, 146.70.147.17:443, and four additional C2 IP: 142.44.132.90:443, 45.66.249.80:443, 23.227.198.197:443, 23.236.181.117:443.
- [NetMonitor hashes] Backdoor binaries – A5485e8f09f6428b42b499bc914532e6, e5dac186720ea10f3752aa30a96d3fc0, and other NetMonitor samples listed.
- [File names & extensions] Ransom artifacts and encrypted extensions – GET_YOUR_FILES_BACK.txt, README_FOR_RESTORE (ransom note names), and extensions like .avos, .avos2, .avoslinux used for encrypted files.
Affiliates gained initial access through exploited public-facing applications (notably ProxyShell CVEs and a Zoho ManageEngine flaw) or by abusing stolen RDP/VPN credentials. After foothold, actors often deployed NetMonitor as a service to maintain persistence and remote control; NetMonitor uses raw sockets with a custom binary protocol where the payload is RC4-encrypted (8-byte key) and the client attempts C2 contact every ~5 seconds to receive commands such as opening listeners or acting as a reverse proxy.
Before encrypting data, AvosLocker checks for administrative privileges, terminates a broad list of business and database processes (decoded at runtime via stack-based string obfuscation), deletes shadow copies (wmic/vssadmin), disables Windows recovery (bcdedit), and clears event logs via PowerShell to thwart recovery and detection. It then enumerates all drives (local, removable, network), filters out numerous extensions, filenames, and system folders, and encrypts files using multi-threaded AES-CBC; each file’s AES key is encrypted with a 2048-bit RSA public key, Base64-encoded, appended to the ciphertext, and files are renamed with extensions such as .avos2 or .avoslinux.
Analysis is hampered by ADVObfuscator-based string encoding and multiple command-line flags that tailor runtime behavior (mutex control, network disabling, thread counts). The Linux variant mirrors Windows behavior but adds ESXi VM termination/encryption capability. Observed artifacts include onion payment/leak sites, many sample hashes, NetMonitor binaries and hardcoded C2 IPs—use these IOCs for detection, blocking, and incident response.
Read more: https://www.zscaler.com/blogs/security-research/retrospective-avoslocker