AvosLocker Infection with Abused Driver

Trend Micro observed a AvosLocker infection chain deployed within the US abusing a legitimate Windows driver for defense evasion and to disable security defenses. Initial access from the attack leveraged a vulnerability in Zoho ManageEngine Service Desk Plus (telemetry didn't identify the exact CVE used) to upload a webshell. Following command and control activity mshta.exe was leveraged to execute the attacker's HTA file spawning a PowerShell script. Discovery activity for system information was executed along with PowerShell downloads of attacker tools including AnyDeskMSI, Mimikatz, Nmap, PDQ deploy, Netscan, and the creation of an administrator account. A legitimate driver, Aswarpot.sys was utilized to disable security products also from a PowerShell script to stop services. Through the attack, the attackers had attempted to copy a number of their tools including Mimikatz and Impacket, however efforts were blocked. NMap was used by the attacker to identify vulnerable Log4j hosts. Lastly, using the deployment tool PDQ, a batch script was launched to multiple hosts on the victim network.