FBI and CISA published a new advisory on AvosLocker ransomware
October 13, 2023
FBI and CISA published a joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with AvosLocker ransomware.
The joint Cybersecurity Advisory (CSA) published by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) provides known IOCs, TTPs, and detection methods associated with the AvosLocker ransomware variant employed in recent attacks.
The joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort aimed at sharing technical details associated with various ransomware operations.
The AvosLocker ransomware-as-a-service emerged in the threat landscape in September 2021, since January the group expanded its targets by implementing support for encrypting Linux systems, specifically VMware ESXi servers.
AvosLocker operators already advertised in the past a Linux variant, dubbed AvosLinux, of their malware claiming it was able to support Linux and ESXi servers.
This joint CSA updates the advisory published by the US Government on March 17, 2022.
AvosLocker affiliates use legitimate software and open-source remote system administration tools to compromise the victims’ networks.
Some of the open-source tools used by the affiliates include:
- Remote system administration tools—Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent—as backdoor access vectors [T1133].
- Scripts to execute legitimate native Windows tools [T1047], such as PsExec and Nltest.
- Open-source networking tunneling tools [T1572] Ligolo and Chisel.
- Cobalt Strike and Sliver for command and control (C2).
- Lazagne and Mimikatz for harvesting credentials [T1555].
- FileZilla and Rclone for data exfiltration.
- Notepad++, RDP Scanner, and 7zip.
AvosLocker affiliates were observed using custom PowerShell [T1059.001] and batch (.bat) scripts [T1059.003] for lateral movement, privilege escalation, and disabling antivirus software. Threat actors were also observed uploading and use custom webshells to enable network access [T1505.003].
The joint cybersecurity advisory also includes YARA rule for network defenders to detect the activity of the malware.
CISA and the FBI recommend to secure remote access tools by:
- Implementing application controls;
- Strictly limit the use of RDP and other remote desktop services;
- Disable command-line and scripting activities and permissions;
- Restrict the use of PowerShell;
- Update Windows PowerShell or PowerShell Core;
- Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations.
The advisory also recommends organizations exercise, test, and validate their security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.
FBI and CISA recommend testing existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, AvosLocker ransomware)