Threat Research

A Retrospective on AvosLocker

ZScaler

Introduction

On October 11, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory for AvosLocker, which was a sophisticated double extortion Ransomware-as-a-Service (RaaS) group that was last observed being active in May 2023. Our research team put this report together so the security community can learn how to counteract other threats that employ similar tactics and procedures (TTPs). 

The AvosLocker group gained prominence in July 2021 and was known for employing a double extortion strategy where they first stole data before encrypting it. The group would then threaten to release the data on a dedicated leak site unless a ransom was paid. Initially, AvosLocker primarily targeted Windows systems, but they subsequently expanded their reach by creating a Linux version of their ransomware designed to target VMware ESXi.

Key Takeaways

  • AvosLocker was a Ransomware-as-a-Service double extortion group.
  • No new activity has been observed since May 2023.
  • AvosLocker hosted a data leak site from July 2021 to July 2023, where they would add stolen proprietary data unless a ransom was paid.
  • AvosLocker heavily targeted the education sector – accounting for 25% of their attacks. 
  • The United States bore the brunt of most AvosLocker attacks accounting for a whopping 72.2%, with Canada trailing far behind at 9.3%.

Attack Methodologies

Since different affiliates employed distinct intrusion techniques, each threat actor’s deploying AvosLocker approach to gain unauthorized access varied significantly. Affiliates were observed exploiting ProxyShell vulnerabilities, like CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, present in the Microsoft Exchange server to obtain initial access. AvosLocker affiliates also infiltrated victims’ networks via compromised RDP and VPN accounts, and exploited the Zoho ManageEngine ServiceDesk Plus vulnerability.

After infiltrating a victim’s network, the ransomware was executed in Windows Safe Mode to maximize the number of files that could be encrypted, since applications such as databases and security software (e.g., antivirus programs) would likely not be running. This technique ensured that these applications would not interfere with file encryption. The ability to encrypt files in Windows Safe Mode is a feature that has been observed in other ransomware families, including Conti, REvil, and BlackMatter.

Infections by Industry

Figure 1, shown below, depicts the industries most affected by AvosLocker as a percentage of total attacks over the past year.

  • AvosLocker focused its attacks on the education sector and received approximately 25% of the group’s total attacks. 
  • Furthermore, AvosLocker impacted the manufacturing and healthcare industry, which accounted for approximately 15.38% and 9.62%, respectively.

Industry verticals targeted by double extortion attacks using AvosLocke

Figure 1: Industry verticals targeted by double extortion attacks using AvosLocker

Countries Targeted by AvosLocker

The U.S. emerged as the hardest-hit country in attacks orchestrated by the AvosLocker group, with more than 72% of attacks as shown in Figure 2. This highlights the scale and severity of the cyberthreat faced by U.S. businesses and institutions. Canadian organizations received 9.3% of AvosLocker’s attacks. China and Taiwan shared a similar level of impact, each experiencing 3.7% of AvosLocker attacks.

Breakdown of victims by country breached by AvosLocker

Figure 2: Breakdown of victims by country breached by AvosLocker

Ransomware Analysis

Since first discovered in 2021, AvosLocker binaries have undergone slight changes and improvements. The following is a detailed analysis of the last variant used in-the-wild.

Command line arguments

AvosLocker implements multiple command line arguments, as shown in Figure 3, allowing for customization of the ransomware execution based on affiliate requirements.

AvosLocker command line arguments

Figure 3: AvosLocker command line arguments

The threat actor decides what functionality to enable/disable during the execution of the AvosLocker ransomware. When executed, the selected options are displayed in the console as shown below.

Build: SonicBoom
b_bruteforce_smb_enable: 0
b_logical_disable: 0
b_network_disable: 1
b_mutex_disable: 0
concurrent_threads_num_max: 200

AvosLocker creates the mutex Zheic0WaWie6zeiy by default to ensure that only one ransomware process is running at a given time, unless the –nomutex command line argument is provided.

Pre-encryption measures

Upon execution, AvosLocker first checks whether it has administrative privileges, and if not, it shows the debug message in the console, The token does not have the specified privilege, and then executes a process termination routine targeting databases, web browsers, and other business applications. The list of processes to be terminated were decoded dynamically using a stack-based string obfuscation algorithm (described later in the report). The process names in Table 1 were terminated.

Table 1: AvosLocker process termination list
encsvc thebat mydesktopqos xfssvccon firefox infopath
winword steam synctime notepad ocomm onenote
mspub thunderbird agntsvc mydesktopservice excel powerpnt
outlook wordpad dbeng50 isqlplussvc sqbcoreservice oracle
ocautoupds dbsnmp msaccess tbirdconfig ocssd sql & visio

Then, AvosLocker performs the following actions:

  • Deletes Windows shadow copies to prevent the recovery of files using the following commands:
wmic shadowcopy delete /nointeractive
vssadmin.exe  Delete Shadows /All /Quiet
  • Disables recovery mode and the edits the boot status policy, which prevents access to Windows Recovery Mode with the following commands:
bcdedit  /set {default} recoveryenabled No
bcdedit  /set {default} bootstatuspolicy ignoreallfailures
  • Deletes the Windows event logs to cover up evidence of malicious activity with the following PowerShell command:
Powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

Encryption process

AvosLocker leverages multiple threads to encrypt the target files on an infected machine. Then it enumerates all drives (e.g., fixed, removable, and network shares) based on the command line arguments. The ransomware then performs a file extension check where the files with the extensions in Table 2 are excluded and not encrypted.

Table 2: AvosLocker extension exclusion list

avos

avoslinux

avos2

avos2j

themepack

nls

diagpkg

msi

lnk

exe

cab

scr

bat

drv

rtp

msp

prf

msc

ico

key

ocx

diagcab

diagcfg

pdb

wpx

theme

mpa

hlp

icns

rom

dll

msstyles

mod

ps1

nomedia

spl

ics

hta

bin

cmd

ani

386

lock

cpl

adv

cur

idx

sys

com

deskthemepack

shs

ldf

icl

msu

In addition, AvosLocker won’t encrypt any files listed in Table 3.

Table 3: Files excluded by AvosLocker

Thumbs.db

ntuser.ini

ntuser.dat.log

ntuser.dat

ntldr

iconcache.db

desktop.ini

config.msi

bootsect.bak

bootfont.bin

boot.ini

autorun.inf

Furthermore, AvosLocker won’t encrypt the directories in Table 4.

Table 4: Folders excluded by AvosLocker

All Users

AppData

boot

bootmgr

Games

Intel

Microsoft.

Program Files/Program Files (x86)

ProgramData

Public

Sophos

System Volume Information

Windows

Windows.old

WinNT

MicrosoftSQL Server

AvosLocker encrypts file content using AES in CBC mode with a randomly generated AES key. The AES symmetric key is then encrypted with a 2,048-bit RSA public key embedded in the ransomware binary. Finally, the RSA data containing the encrypted AES key is Base64 encoded and appended to the end of the encrypted file (see Figure 4). Then, the file extension is changed to .avos2.

AvosLocker encrypted file contents

Figure 4: AvosLocker encrypted file contents

During the encryption phase, the ransomware also prints debug messages to the console that show encryption statistics to the threat actor as shown below.

drive D: took 0.003000 seconds
drive Z: took 0.119000 seconds
drive A: took 1.060000 seconds
drive C: took 19.672000 seconds
Waiting for encryption threads to finish ... [OK]
Encryption Stats
[+] Locked objects: 6313
asym time: clocks 14465
total time: clocks 20648 | 20.648000 seconds

After encryption, AvosLocker drops a ransom note named GET_YOUR_FILES_BACK.txt as shown in Figure 5.

AvosLocker ransom note

Figure 5: AvosLocker ransom note

AvosLocker also changes the Windows desktop wallpaper (shown in Figure 6) to a message similar to the ransom note text file.

AvosLocker ransom note wallpaper

Figure 6: AvosLocker ransom note wallpaper

The victim ID mentioned in the ransom note is hardcoded in the AvosLocker binary and the ransom note’s filename is README_FOR_RESTORE. ThreatLabz also observed AvosLocker using different file extensions such as .avos, .avos2, and .avoslinux, with the latter being used for the Linux variant. The Linux variant is very similar to the Windows version, but also possesses the capability to terminate and encrypt ESXi virtual machines.

Data Leak Site

If a victim decided not to pay a ransom, the group would post stolen data to their data leak site hosted via a Tor hidden service. This tactic was designed to pressure victims to pay a ransom to avoid a loss of sensitive information that may be damaging to the victim organization when publicly disclosed. The AvosLocker data leak site has been down since July 2023 and the payment site went down in August 2023. ThreatLabz observed a total of 60 victims’ data posted on the data leak site as shown in Figure 7.

AvosLocker data leak site

Figure 7: AvosLocker data leak site

Anti-Analysis

All the important strings in AvosLocker ransomware samples are obfuscated using ADVObfuscator,which pushes encoded versions of strings to the stack, and then decodes them at runtime (as shown in Figure 8), using simple but different algorithms and keys.

AvosLocker string obfuscation

Figure 8: AvosLocker string obfuscation

For instance, the string above decodes to: cmd /c wmic shadowcopy delete /nointeractive

NetMonitor Backdoor

AvosLocker leverages NetMonitor, a tool that appears like a legitimate network monitoring utility, but in reality acts as a backdoor for AvosLocker.

NetMonitor establishes persistence after being installed as a system service, using names such as: NetAppTcp, NetAppTcpSvc, WazuhWinSrv, RSM, WinSSP, WebService, etc. Once initiated, NetMonitor tries to contact its C2 server every 5 seconds using a hardcoded IP address and port (usually 443). The malware uses raw sockets and a small binary protocol for all communication, where the encrypted ping packet contains content similar to that shown in Figure 9.

NetMonitor encrypted communication

Figure 9: NetMonitor encrypted communication

The first four bytes are random, and the remaining bytes are an RC4 encrypted payload with an 8 byte key. Figure 10 shows the actual payload content after the decryption.

NetMonitor decrypted communication

Figure 10: NetMonitor decrypted communication

The first four bytes are also random (and identical to the previous four bytes prepended to the encrypted payload) followed by a command. Depending on the command received, NetMonitor then starts listening on a port or acts as a reverse proxy server.

NetMonitor was closely tied to AvosLocker, with the last observed activity occurring in the first half of 2023, and no new samples have been identified since August 2023.

Conclusion

AvosLocker is a ransomware group that was active and performing double extortion attacks until May 2023. The group also targeted multiple operating systems with different ransomware variants. Zscaler ThreatLabz continues to track different ransomware groups and add indicators of compromise to protect our customers. Please read Zscaler’s yearly ransomware report to learn more about the various trends and most significant ransomware groups.

Zscaler Coverage

Cloud Sandbox

Cloud Sandbox Coverage

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to AvosLocker at various levels with the threat names listed below.

Win32.Ransom.Avos

Indicators of Compromise (IOCs)

AvosLocker

 

Hashes

  • 1076a979c6a7633ee3a4884d738452c5
  • 1330887fe501036aff6ed443340e9405
  • d285f1366d0d4fdae0b558db690497ea
  • 76e177a94834b3f7c63257bc8011f60f
  • b27f0f2826bacd329fb28d9cda002d7d
  • 16a5d134d50eeb34989b48dca166462d
  • f9de6998546e9ea169c54527962e1e92
  • 1933f61951738b6fdbfff3fa0f65d712
  • 63e12fa6203dc61fc82343e7dec1b33b
  • 4e75f8dc15a82674c57c4f12dbd78808
  • 8c4bfd216fb8e69f7f1e1f4cb1e3f9a1
  • 0e9432cd9e9405b04f4e46b368585d60
  • 19944159dfa94a1b75effd85e6b906dc
  • 869fc579f45a790b7c485d52cb2c8986
  • 0b3888d8683d3ebb27627452a0179575
  • 194c16941dc618facef7d0c4749a39a7
  • c41c5de8abeb92adaf8a86cf8b31570e
  • f091b9085d35e61945c743e3683b1b71
  • 2d7cf26f4e4dacf637f7ef0b1edfbda5
  • a0a60441609f42f2f79c7826db9ae296

URLs

Payment Sites:

  • avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion
  • avos2fuj6olp6x36.onion

Data Leak Sites:

  • avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion
  • avos53nnmi4u6amh.onion

NetMonitor

 

Hashes

  • A5485e8f09f6428b42b499bc914532e6
  • e5dac186720ea10f3752aa30a96d3fc0
  • 9ff900a05d75b97948a3b52d8835b21f
  • 15e948c18ea77efb5ffbf0a72d05d348
  • 85e44d1333422e9b550c94ad7b7202a0
  • d59dca267722dfd923350d5b139b1036

C&Cs

  • 194.213.18.138:443
  • 146.70.147.17:443
  • 142.44.132.90:443
  • 45.66.249.80:443
  • 23.227.198.197:443
  • 23.236.181.117:443

Source: https://www.zscaler.com/blogs/security-research/retrospective-avoslocker

Tags: PAYLOAD, LINUX, VULNERABILITY, BACKDOOR, IMPACT, TOOL, PERSISTENCE, LEAK