.svg)
.svg)
By Suleyman Ozarslan, PhD & Picus Labs August 22, 2022 Ransomware
|
Associated Groups |
Aliases - Avos |
|
Associated Country |
- |
|
First Seen |
July 2021 |
|
Target Sectors |
Education, Energy, Financial Services, Food and Beverage, Government, Healthcare, Manufacturing, Media, Telecommunications, Transportation, Technology |
|
Target Countries |
United States, Argentina, Australia, Austria, Belgium, Brazil, Canada, China, Columbia, Germany, India, Israel, Italy, Philippines, Saudi Arabia, Spain, Syria, Taiwan, Turkey, United Arab Emirates, United Kingdom |
|
Business Models |
Ransomware-as-a-service (RaaS) Triple Extortion |
|
Extortion Tactics |
File Encryption Data Leakage Threaten to Sell Stolen Information |
|
Initial Access Methods |
Exploit Public-Facing Application External Remote Services Valid Accounts (Stolen Credentials |
|
Impact Methods |
Data Encryption Data Exfiltration |
|
Application |
Vulnerability |
CVE |
CVSS |
|
Microsoft Exchange |
Remote Code Execution |
8.0 High |
|
|
Microsoft Exchange |
ProxyShell Security Feature Bypass |
7.2 High |
|
|
Microsoft Exchange |
ProxyShell RCE |
9.8 Critical |
|
|
Microsoft Exchange |
ProxyShell Privilege Escalation |
9.8 Critical |
|
|
Microsoft Exchange |
Remote Code Execution |
9.8 Critical |
|
|
Zoho ManageEngine ServiceDesk Plus |
Authentication Bypass |
9.8 Critical |
|
|
Apache Log4j |
Remote Code Execution |
10 Critical |
|
|
Apache Log4j |
Remote Code Execution |
9 Critical |
|
|
Apache Log4j |
Denial of Service |
5.9 Medium |
|
|
Apache Log4j |
Remote Code Execution |
6.6 Medium |
|
|
Atlassian Confluence Server and Data Center |
Remote Code Execution |
9.8 Critical |
|
MITRE ATT&CK Tactic |
Tools |
|
Execution |
Cobalt Strike Sliver |
|
Defence Evasion |
Avast Anti-Rootkit Scanner aswArPot.sys |
|
Credential Access |
Mimikatz XenArmor Password Recovery Pro Tool |
|
Discovery |
WinLister Advanced IP Scanner Nmap |
|
Lateral Movement |
PDQ Deploy AnyDesk |
|
Command and Control |
AnyDesk Pscp.exe |
|
Exflitration |
Rclone |
|
Impact |
AvosLocker ransomware |
-
[1] K. Arhart, “Cobalt Strike,” Cobalt Strike Research and Development, Aug. 19, 2021. https://www.cobaltstrike.com/ (accessed Jul. 06, 2022).
-
[2] “GitHub - BishopFox/sliver: Adversary Emulation Framework,” GitHub. [Online]. Available: https://github.com/BishopFox/sliver. [Accessed: Jul. 21, 2022]
-
[3] Free Rootkit Scanner & Remover,” Free Rootkit Scanner & Remover. [Online]. Available: https://www.avast.com/c-rootkit-scanner-tool. [Accessed: Jul. 07, 2022]
-
[4] “AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell,” Trend Micro, May 02, 2022. [Online]. Available: https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html. [Accessed: Jul. 21, 2022]
-
[5] “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. https://github.com/gentilkiwi/mimikatz (accessed Jul. 06, 2022).
-
[6] “XenArmor All-In-One Password Recovery Pro 2021 Software,” XenArmor |, Jan. 30, 2019. [Online]. Available: https://xenarmor.com/allinone-password-recovery-pro-software/. [Accessed: Jul. 07, 2022]
-
[7] “WinLister v1.22 - display the list of opened windows on your system.” [Online]. Available: https://www.nirsoft.net/utils/winlister.html. [Accessed: Jul. 07, 2022]
-
[8] “Advanced IP Scanner - Download Free Network Scanner.” [Online]. Available: https://www.advanced-ip-scanner.com. [Accessed: Jul. 07, 2022]
-
[9] “Nmap: the Network Mapper - Free Security Scanner.” [Online]. Available: https://nmap.org/. [Accessed: Jul. 07, 2022]
-
[10] “The Fast Remote Desktop Application –,” AnyDesk. https://anydesk.com/en (accessed Jul. 06, 2022).
-
[11] “PSCP.” [Online]. Available: http://xray.rutgers.edu/~matilsky/documents/pscp.htm. [Accessed: Jul. 07, 2022]
-
[12] N. Craig-Wood, “Rclone.” https://rclone.org/ (accessed Jul. 06, 2022).
-
[13] F. Fkie, “AvosLocker (Malware Family).” [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker. [Accessed: Jul. 07, 2022]
Share this article:
