Threat Advisory Tracking Avoslocker Ransomware Group

Industry: N/A | Level: Tactical | Source: Cisco Talos

Cisco Talo’s latest threat advisory, shares research on ransomware group, AvosLocker. The ransomware-as-a-service (RaaS) has been active since June 2021 and tracking the user name "Avos" in Russian cybercrime forums, the group is actively recruiting new members. During the month of February 2022, Cisco Talos observed a month-long campaign; traced to have started as early as February 7th, 2022. Unfortunately, the investigation was muddied with a separate threat actor attempting to exploit the environment for cryptomining. The attack began by exploiting the Log4Shell vulnerability on an exposed ESXi server. In the days following the attackers utilized many living-off-the-land binaries (LoLBins) including the usage of WMI Provider (wmiprvse.exe) to execute an encoded PowerShell command on the compromised host on February 11th. Activity appeared to have settled until March 4th when the attackers began dropping malicious payloads including Minikatz, Silver, Cobalt Strike Beacons, AnyDesk, and a SoftPerfect Network Scanner. The ransomware was executed on March 8th, 2022 using PDQ Deploy.

Anvilogic Scenario:

• Potential CVE-2021-44228 - Log4Shell

Anvilogic Use Cases:

• Invoke-Expression Command
• Encoded Powershell Command
• Mimikatz