Threat Advisory Tracking Avoslocker Ransomware Group
Industry: N/A | Level: Tactical | Source: Cisco Talos
Cisco Talo’s latest threat advisory, shares research on ransomware group, AvosLocker. The ransomware-as-a-service (RaaS) has been active since June 2021 and tracking the user name "Avos" in Russian cybercrime forums, the group is actively recruiting new members. During the month of February 2022, Cisco Talos observed a month-long campaign; traced to have started as early as February 7th, 2022. Unfortunately, the investigation was muddied with a separate threat actor attempting to exploit the environment for cryptomining. The attack began by exploiting the Log4Shell vulnerability on an exposed ESXi server. In the days following the attackers utilized many living-off-the-land binaries (LoLBins) including the usage of WMI Provider (wmiprvse.exe) to execute an encoded PowerShell command on the compromised host on February 11th. Activity appeared to have settled until March 4th when the attackers began dropping malicious payloads including Minikatz, Silver, Cobalt Strike Beacons, AnyDesk, and a SoftPerfect Network Scanner. The ransomware was executed on March 8th, 2022 using PDQ Deploy.
- Potential CVE-2021-44228 - Log4Shell
Anvilogic Use Cases:
- Invoke-Expression Command
- Encoded Powershell Command