ReversingLabs mapped a coordinated campaign that published hundreds of malicious NuGet packages since August, and found actors evolving from PowerShell-based downloaders to abusing NuGetās MSBuild integrations by embedding executable inline tasks in .targets fā¦
Category: Threat Research
McAfee Labs details a stealthy AsyncRAT campaign distributed via a malicious HTML file, leveraging multiple script types to evade detection. The infection chain culminates in RegSvcs.exe process injection, keylogging, credential and browser data theft, and datā¦
Unpacking an Asyncrat loader using Process Hacker and Dnspy
Cyble Research and Intelligence Labs identified a Java RAT named Sayler, detected as a zero-detection JAR on VirusTotal, which targets Polish-speaking users and includes features like keylogging, information theft, screen capture, ransomware, and more, using aā¦
Netskope Threat Labs reports a new DarkGate variant delivered via MSI that uses a loading chain inspired by Cobalt Strike to reach its final payload. The malware employs multiple loaders (DLL side-loading, Delphi, AutoIt) across several stages to deliver DarkGā¦
Researchers intercepted Kinsingās manual testing of the Looney Tunables vulnerability (CVE-2023-4911) as part of its cloud-native intrusion campaign, including attempts to harvest Cloud Service Provider credentials. The activity signals a shift from automated ā¦
Bitsight uncovered Socks5Systemz, a proxy botnet delivered by the PrivateLoader and Amadey loaders, turning infected devices into backconnect proxies and offering a subscription-based service. The operation spans Europe with around 10,000 infected hosts, a logā¦
Blister is a loader that drops payloads and has evolved to support targeted deployments, environmental keying, and obfuscated first-stage loading, with a shift from Cobalt Strike to Mythic agents. The article catalogs 137 unpacked Blister samples over about twā¦
Introduction
On October 11, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory for AvosLocker, which was a sophisticated double extortion Ransomware-as-a-Service (RaaS) group that was last observed being active in May 2023. Our research team put this report together so the security community can learn how to counteract other threats that employ similar tactics and procedures (TTPs).
The AvosLocker group gained prominence in July 2021 and was known for employing a double extortion strategy where they first stole data before encrypting it. The group would then threaten to release the data on a dedicated leak site unless a ransom was paid. Initially, AvosLocker primarily targeted Windows systems, but they subsequently expanded their reach by creating a Linux version of their ransomware designed to target VMware ESXi.
Key Takeaways
AvosLocker was a Ransomware-as-a-Service double extortion group.
No new activity has been observed since May 2023.
AvosLocker hosted a data leak site from July 2021 to July 2023, where they would add stolen proprietary data unless a ransom was paid.
AvosLocker heavily targeted the education sector ā accounting for 25% of their attacks.
The United States bore the brunt of most AvosLocker attacks accounting for a whopping 72.2%, with Canada trailing far behind at 9.3%.
Attack Methodologies
Since different affiliates employed distinct intrusion techniques, each threat actorās deploying AvosLocker approach to gain unauthorized access varied significantly. Affiliates were observed exploiting ProxyShell vulnerabilities, like CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, present in the Microsoft Exchange server to obtain initial access. AvosLocker affiliates also infiltrated victims' networks via compromised RDP and VPN accounts, and exploited the Zoho ManageEngine ServiceDesk Plus vulnerability.
After infiltrating a victimās network, the ransomware was executed in Windows Safe Mode to maximize the number of files that could be encrypted, since applications such as databases and security software (e.g., antivirus programs) would likely not be running. This technique ensured that these applications would not interfere with file encryption. The ability to encrypt files in Windows Safe Mode is a feature that has been observed in other ransomware families, including Conti, REvil, and BlackMatter.
Infections by Industry
Figure 1, shown below, depicts the industries most affected by AvosLocker as a percentage of total attacks over the past year.
AvosLocker focused its attacks on the education sector and received approximately 25% of the groupās total attacks.
Furthermore, AvosLocker impacted the manufacturing and healthcare industry, which accounted for approximately 15.38% and 9.62%, respectively.
Figure 1: Industry verticals targeted by double extortion attacks using AvosLocker
Countries Targeted by AvosLocker
The U.S. emerged as the hardest-hit country in attacks orchestrated by the AvosLocker group, with more than 72% of attacks as shown in Figure 2. This highlights the scale and severity of the cyberthreat faced by U.S. businesses and institutions. Canadian organizations received 9.3% of AvosLockerās attacks. China and Taiwan shared a similar level of impact, each experiencing 3.7% of AvosLocker attacks.
Figure 2: Breakdown of victims by country breached by AvosLocker
Ransomware Analysis
Since first discovered in 2021, AvosLocker binaries have undergone slight changes and improvements. The following is a detailed analysis of the last variant used in-the-wild.
Command line arguments
AvosLocker implements multiple command line arguments, as shown in Figure 3, allowing for customization of the ransomware execution based on affiliate requirements.
Figure 3: AvosLocker command line arguments
The threat actor decides what functionality to enable/disable during the execution of the AvosLocker ransomware. When executed, the selected options are displayed in the console as shown below.
Build: SonicBoom
b_bruteforce_smb_enable: 0
b_logical_disable: 0
b_network_disable: 1
b_mutex_disable: 0
concurrent_threads_num_max: 200
AvosLocker creates the mutex Zheic0WaWie6zeiy by default to ensure that only one ransomware process is running at a given time, unless the –nomutex command line argument is provided.
Pre-encryption measures
Upon execution, AvosLocker first checks whether it has administrative privileges, and if not, it shows the debug message in the console, The token does not have the specified privilege, and then executes a process termination routine targeting databases, web browsers, and other business applications. The list of processes to be terminated were decoded dynamically using a stack-based string obfuscation algorithm (described later in the report). The process names in Table 1 were terminated.
Table 1: AvosLocker process termination list
encsvc
thebat
mydesktopqos
xfssvccon
firefox
infopath
winword
steam
synctime
notepad
ocomm
onenote
mspub
thunderbird
agntsvc
mydesktopservice
excel
powerpnt
outlook
wordpad
dbeng50
isqlplussvc
sqbcoreservice
oracle
ocautoupds
dbsnmp
msaccess
tbirdconfig
ocssd
sql & visio
Then, AvosLocker performs the following actions:
Deletes Windows shadow copies to prevent the recovery of files using the following commands:
wmic shadowcopy delete /nointeractive
vssadmin.exe Delete Shadows /All /Quiet
Disables recovery mode and the edits the boot status policy, which prevents access to Windows Recovery Mode with the following commands:
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
Deletes the Windows event logs to cover up evidence of malicious activity with the following PowerShell command:
Powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
Encryption process
AvosLocker leverages multiple threads to encrypt the target files on an infected machine. Then it enumerates all drives (e.g., fixed, removable, and network shares) based on the command line arguments. The ransomware then performs a file extension check where the files with the extensions in Table 2 are excluded and not encrypted.
Table 2: AvosLocker extension exclusion list
avos
avoslinux
avos2
avos2j
themepack
nls
diagpkg
msi
lnk
exe
cab
scr
bat
drv
rtp
msp
prf
msc
ico
key
ocx
diagcab
diagcfg
pdb
wpx
theme
mpa
hlp
icns
rom
dll
msstyles
mod
ps1
nomedia
spl
ics
hta
bin
cmd
ani
386
lock
cpl
adv
cur
idx
sys
com
deskthemepack
shs
ldf
icl
msu
In addition, AvosLocker wonāt encrypt any files listed in Table 3.
Table 3: Files excluded by AvosLocker
Thumbs.db
ntuser.ini
ntuser.dat.log
ntuser.dat
ntldr
iconcache.db
desktop.ini
config.msi
bootsect.bak
bootfont.bin
boot.ini
autorun.inf
Furthermore, AvosLocker wonāt encrypt the directories in Table 4.
Table 4: Folders excluded by AvosLocker
All Users
AppData
boot
bootmgr
Games
Intel
Microsoft.
Program Files/Program Files (x86)
ProgramData
Public
Sophos
System Volume Information
Windows
Windows.old
WinNT
MicrosoftSQL Server
AvosLocker encrypts file content using AES in CBC mode with a randomly generated AES key. The AES symmetric key is then encrypted with a 2,048-bit RSA public key embedded in the ransomware binary. Finally, the RSA data containing the encrypted AES key is Base64 encoded and appended to the end of the encrypted file (see Figure 4). Then, the file extension is changed to .avos2.
Figure 4: AvosLocker encrypted file contents
During the encryption phase, the ransomware also prints debug messages to the console that show encryption statistics to the threat actor as shown below.
drive D: took 0.003000 seconds
drive Z: took 0.119000 seconds
drive A: took 1.060000 seconds
drive C: took 19.672000 seconds
Waiting for encryption threads to finish … [OK]
Encryption Stats
[+] Locked objects: 6313
asym time: clocks 14465
total time: clocks 20648 | 20.648000 seconds
After encryption, AvosLocker drops a ransom note named GET_YOUR_FILES_BACK.txt as shown in Figure 5.
Figure 5: AvosLocker ransom note
AvosLocker also changes the Windows desktop wallpaper (shown in Figure 6) to a message similar to the ransom note text file.
Figure 6: AvosLocker ransom note wallpaper
The victim ID mentioned in the ransom note is hardcoded in the AvosLocker binary and the ransom noteās filename is README_FOR_RESTORE. ThreatLabz also observed AvosLocker using different file extensions such as .avos, .avos2, and .avoslinux, with the latter being used for the Linux variant. The Linux variant is very similar to the Windows version, but also possesses the capability to terminate and encrypt ESXi virtual machines.
Data Leak Site
If a victim decided not to pay a ransom, the group would post stolen data to their data leak site hosted via a Tor hidden service. This tactic was designed to pressure victims to pay a ransom to avoid a loss of sensitive information that may be damaging to the victim organization when publicly disclosed. The AvosLocker data leak site has been down since July 2023 and the payment site went down in August 2023. ThreatLabz observed a total of 60 victimsā data posted on the data leak site as shown in Figure 7.
Figure 7: AvosLocker data leak site
Anti-Analysis
All the important strings in AvosLocker ransomware samples are obfuscated using ADVObfuscator,which pushes encoded versions of strings to the stack, and then decodes them at runtime (as shown in Figure 8), using simple but different algorithms and keys.
Figure 8: AvosLocker string obfuscation
For instance, the string above decodes to: cmd /c wmic shadowcopy delete /nointeractive
NetMonitor Backdoor
AvosLocker leverages NetMonitor, a tool that appears like a legitimate network monitoring utility, but in reality acts as a backdoor for AvosLocker.
NetMonitor establishes persistence after being installed as a system service, using names such as: NetAppTcp, NetAppTcpSvc, WazuhWinSrv, RSM, WinSSP, WebService, etc. Once initiated, NetMonitor tries to contact its C2 server every 5 seconds using a hardcoded IP address and port (usually 443). The malware uses raw sockets and a small binary protocol for all communication, where the encrypted ping packet contains content similar to that shown in Figure 9.
Figure 9: NetMonitor encrypted communication
The first four bytes are random, and the remaining bytes are an RC4 encrypted payload with an 8 byte key. Figure 10 shows the actual payload content after the decryption.
Figure 10: NetMonitor decrypted communication
The first four bytes are also random (and identical to the previous four bytes prepended to the encrypted payload) followed by a command. Depending on the command received, NetMonitor then starts listening on a port or acts as a reverse proxy server.
NetMonitor was closely tied to AvosLocker, with the last observed activity occurring in the first half of 2023, and no new samples have been identified since August 2023.
Conclusion
AvosLocker is a ransomware group that was active and performing double extortion attacks until May 2023. The group also targeted multiple operating systems with different ransomware variants. Zscaler ThreatLabz continues to track different ransomware groups and add indicators of compromise to protect our customers. Please read Zscalerās yearly ransomware report to learn more about the various trends and most significant ransomware groups.
Zscaler Coverage
Cloud Sandbox
In addition to sandbox detections, Zscalerās multilayered cloud security platform detects indicators related to AvosLocker at various levels with the threat names listed below.
Win32.Ransom.Avos
Indicators of Compromise (IOCs)
AvosLocker
Hashes
1076a979c6a7633ee3a4884d738452c5
1330887fe501036aff6ed443340e9405
d285f1366d0d4fdae0b558db690497ea
76e177a94834b3f7c63257bc8011f60f
b27f0f2826bacd329fb28d9cda002d7d
16a5d134d50eeb34989b48dca166462d
f9de6998546e9ea169c54527962e1e92
1933f61951738b6fdbfff3fa0f65d712
63e12fa6203dc61fc82343e7dec1b33b
4e75f8dc15a82674c57c4f12dbd78808
8c4bfd216fb8e69f7f1e1f4cb1e3f9a1
0e9432cd9e9405b04f4e46b368585d60
19944159dfa94a1b75effd85e6b906dc
869fc579f45a790b7c485d52cb2c8986
0b3888d8683d3ebb27627452a0179575
194c16941dc618facef7d0c4749a39a7
c41c5de8abeb92adaf8a86cf8b31570e
f091b9085d35e61945c743e3683b1b71
2d7cf26f4e4dacf637f7ef0b1edfbda5
a0a60441609f42f2f79c7826db9ae296
URLs
Payment Sites:
avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion
avos2fuj6olp6x36.onion
Data Leak Sites:
avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion
avos53nnmi4u6amh.onion
NetMonitor
Hashes
A5485e8f09f6428b42b499bc914532e6
e5dac186720ea10f3752aa30a96d3fc0
9ff900a05d75b97948a3b52d8835b21f
15e948c18ea77efb5ffbf0a72d05d348
85e44d1333422e9b550c94ad7b7202a0
d59dca267722dfd923350d5b139b1036
C&Cs
194.213.18.138:443
146.70.147.17:443
142.44.132.90:443
45.66.249.80:443
23.227.198.197:443
23.236.181.117:443
We unveil a Lazarus campaign exploiting security company products and examine its intricate connections with other campaigns
Decoding a Remcos Loader, leveraging regex, python and Cyberchef to identify IOCs.
An Infostealer is being distributed by pairing a legitimate-signed EXE with a malicious DLL in the same directory, exploiting DLL hijacking to trigger the malware when the EXE runs. The threat uses in-memory decryption, DLL injection, and XOR-encrypted C2 commā¦
Unit 42 provides a deep technical analysis of an upgraded Kazuar backdoor variant used by the Pensive Ursa group, highlighting stealth, anti-analysis, and multi-stage capabilities. The report details Kazuarās HTTP and named-pipe C2 communications, extensive 40ā¦
Deep Instinct reports a new MuddyWater spear-phishing campaign targeting Israeli entities, with updated tactics, techniques, and infrastructure, including public hosting on Storyblok and a multi-stage infection chain using a LNK launcher and a signed installerā¦
A pirated installer distributed via the torrent site topsoft.space delivered an AutoIt-based malware (named “autoit stealer”) that deployed RMS, an XMRig miner, disabled defenses, and exfiltrated Telegram session data to a Telegram bot C2. The campaign infecteā¦