mega-menu-burger mega-menu-close

AvosLocker Ransomware Group

By Suleyman Ozarslan, PhD & Picus Labs   August 22, 2022   Ransomware

AvosLocker group started its ransomware attacks and Ransomware-as-a-Service operations in July 2021 and made a name for themselves over time. Different variants of AvosLocker are capable of impacting Windows, Linux, and ESXi machines. Avoslocker RaaS group uses the double extortion method and constantly adds new adversary techniques to their toolset. In recent attack campaigns, AvosLocker threat actors are observed to gain initial access to VMWare Horizon Unified Access Gateways that are vulnerable to the notorious Log4Shell vulnerability.

Metadata

Associated Groups

Aliases - Avos

Associated Country

-

First Seen

July 2021

Target Sectors

Education, Energy, Financial Services, Food and Beverage, Government, Healthcare, Manufacturing, Media, Telecommunications, Transportation, Technology

Target Countries

United States, Argentina, Australia, Austria, Belgium, Brazil, Canada, China, Columbia, Germany, India, Israel, Italy, Philippines, Saudi Arabia, Spain, Syria, Taiwan, Turkey, United Arab Emirates, United Kingdom

Modus Operandi

Business Models

Ransomware-as-a-service (RaaS)

Triple Extortion

Extortion Tactics

File Encryption

Data Leakage

Threaten to Sell Stolen Information

Initial Access Methods

Exploit Public-Facing Application

External Remote Services

Valid Accounts (Stolen Credentials

Impact Methods

Data Encryption

Data Exfiltration

Exploited Applications and Vulnerabilities by AvosLocker

Application

Vulnerability

CVE

CVSS

Microsoft Exchange

Remote Code Execution

CVE-2021-31206

8.0 High

Microsoft Exchange

ProxyShell Security Feature Bypass

CVE-2021-31207

7.2 High

Microsoft Exchange

ProxyShell RCE

CVE-2021-34473

9.8 Critical

Microsoft Exchange

ProxyShell Privilege Escalation

CVE-2021-34523

9.8 Critical

Microsoft Exchange

Remote Code Execution

CVE-2021-26855

9.8 Critical

Zoho ManageEngine ServiceDesk Plus

Authentication Bypass

CVE-2021-40539

9.8 Critical

Apache Log4j

Remote Code Execution

CVE-2021-44228

10 Critical

Apache Log4j

Remote Code Execution

CVE-2021-45046

9 Critical

Apache Log4j

Denial of Service

CVE-2021-45105

5.9 Medium

Apache Log4j

Remote Code Execution

CVE-2021-44832

6.6 Medium

Atlassian Confluence Server and Data Center

Remote Code Execution

CVE-2022-26134

9.8 Critical

Utilized Tools and Malware by AvosLocker

MITRE ATT&CK Tactic

Tools

Execution

Cobalt Strike

Sliver

Defence Evasion

Avast Anti-Rootkit Scanner

aswArPot.sys

Credential Access

Mimikatz 

XenArmor Password Recovery Pro Tool

Discovery

WinLister 

Advanced IP Scanner 

Nmap

Lateral Movement

PDQ Deploy

AnyDesk

Command and Control

AnyDesk 

Pscp.exe

Exflitration

Rclone

Impact

AvosLocker ransomware

  • [1]       K. Arhart, “Cobalt Strike,” Cobalt Strike Research and Development, Aug. 19, 2021. https://www.cobaltstrike.com/ (accessed Jul. 06, 2022).

  • [2]     “GitHub - BishopFox/sliver: Adversary Emulation Framework,” GitHub. [Online]. Available: https://github.com/BishopFox/sliver. [Accessed: Jul. 21, 2022]

  • [3] Free Rootkit Scanner & Remover,” Free Rootkit Scanner & Remover. [Online]. Available: https://www.avast.com/c-rootkit-scanner-tool. [Accessed: Jul. 07, 2022]

  • [4] “AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell,” Trend Micro, May 02, 2022. [Online]. Available: https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html. [Accessed: Jul. 21, 2022]

  • [5]     “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. https://github.com/gentilkiwi/mimikatz (accessed Jul. 06, 2022).

  • [6] “XenArmor All-In-One Password Recovery Pro 2021 Software,” XenArmor |, Jan. 30, 2019. [Online]. Available: https://xenarmor.com/allinone-password-recovery-pro-software/. [Accessed: Jul. 07, 2022]

  • [7] “WinLister v1.22 - display the list of opened windows on your system.” [Online]. Available: https://www.nirsoft.net/utils/winlister.html. [Accessed: Jul. 07, 2022]

  • [8] “Advanced IP Scanner - Download Free Network Scanner.” [Online]. Available: https://www.advanced-ip-scanner.com. [Accessed: Jul. 07, 2022]

  • [9] “Nmap: the Network Mapper - Free Security Scanner.” [Online]. Available: https://nmap.org/. [Accessed: Jul. 07, 2022]

  • [10]     “The Fast Remote Desktop Application –,” AnyDesk. https://anydesk.com/en (accessed Jul. 06, 2022).

  • [11] “PSCP.” [Online]. Available: http://xray.rutgers.edu/~matilsky/documents/pscp.htm. [Accessed: Jul. 07, 2022]

  • [12]     N. Craig-Wood, “Rclone.” https://rclone.org/ (accessed Jul. 06, 2022).

  • [13] F. Fkie, “AvosLocker (Malware Family).” [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker. [Accessed: Jul. 07, 2022]

Subscribe

Keep up to date with latest blog posts