Mon, Dec 5, 2022

AvosLocker Ransomware Update: Backup Targeting and Defense Evasion Techniques

Proactive Key Takeaways

  • Kroll has identified new tactics targeting backup systems being used by threat actors associated with the distribution of AvosLocker ransomware.
  • In these instances, Kroll has observed actors attempting to leverage vulnerabilities within Veeam Backup and Replication software (CVE-2022-26500 and CVE-2022-26501) for possible data exfiltration, likely to evade detection by appearing as legitimate activity.
  • In the cases Kroll observed, actors are gaining initial access by exploiting a vulnerability in Zoho ManageEngine ADSelfService plus (CVE-2021-40539) and using tools such as Cobalt Strike Loader and the proxy Chisel tool to hide their activity while on the system.

Summary

Kroll analysts have identified new tactics used by threat actors associated with the AvosLocker ransomware. Critical vulnerabilities have been exploited within Veeam Backup and Replication, which may be an attempt to hide activity from detection technologies. The proxy tool “Chisel” has been identified, which can encrypt traffic through a victim’s firewall and could be used as a further evasion technique. Kroll has also identified increased obfuscation within a Cobalt Strike loader showing additional sophistication in the threat actor’s toolset compared to other groups and actors.

AvosLocker is operated as a part of the ransomware-as-a-service model and utilizes a double extortion technique, where victims are threatened with exposure of their data online as well as it being held to ransom. The ransomware encrypts files and appends the “.avos”, “.avos2” or “.avoslinux” extension to affected files. The associated ransom note is commonly named “GET_YOUR_FILES_BACK.txt” and provides a unique key that can be provided to the threat actor on their Tor shaming site. The specific vulnerabilities exploited in these new tactics are CVE-2022-26500 and CVE-2022-26501, which appear to be an attempt to exfiltrate data and download threat actor tooling by exploiting Veeam Backup and Replication.

Tactics, Techniques and Procedures (TTPs)

Below is a specific instance where Kroll identified AvosLocker during a ransomware attack. This incident has been mapped to the MITRE ATT&K framework:

AvosLocker Ransomware Update

Initial Exploit

Kroll has identified that the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 was exploited to gain an initial foothold within the environment. The threat actor utilized the vulnerability within ManageEngine to create a webshell named “help.jsp”. The webshell was created by a dropped Java Archive (.jar) named “stop.jar” that attempted to inject into “calc.exe” before creating “help.jsp” via encoded PowerShell scripts.

AvosLocker Ransomware Update

Figure 1 - Stop.jar Functions Detailing Encoded PowerShell Commands to Create the Webshell

This webshell is remarkably similar to a publicly available webshell named “cat.jsp”. It appears that the threat actor amended the webshell to include command execution.

AvosLocker Ransomware Update

Figure 2 - Command Execution Function of Help.jsp

The webshell was then utilized to conduct initial discovery by running commands such as “whoami and “net user /domain” before placing two other webshells named “test.jsp” and “wg.jsp” on the server. The webshells “test.jsp” and “wg.jsp” appear to provide a simple text entry box, likely for executing commands on the server.

AvosLocker Ransomware Update

Figure 3 - Test.jsp Command Execution Function

MITRE ATT&CK – T1190

Internal Scouting

The threat actor performed initial discovery after exploiting ManageEngine with “whoami” and “net user /domain,” however, further reconnaissance was conducted via “Advanced IP Scanner” to identify hosts within the environment and an associated log file was left on disk which detailed the discovered hosts.

The actor actively searched for “Advanced IP Scanner” on bing.com before downloading from the tool’s website. The network scanning tool “netscan” was also placed on disk and is often utilized to identify network shares.

MITRE ATT&CK – T1049, T1135

Toolkit Deployment

The threat actor leveraged Veeam Backup and Replication vulnerabilities (CVE-2022-26500 and CVE-2022-26501) named “veeam-ds-client,” based on a publicly available proof-of-concept, that provides the capabilities to exfiltrate data.

It is possible to both download and exfiltrate data with these tools, and it is likely that this was an attempt to leverage exploits to mask malicious activity.

MITRE ATT&CK – T1211

Defense Evasion

The same incident saw the use of the “Chisel” proxy for encrypted communications between victim devices and the threat actor. The use of Chisel would allow the threat actor to pass traffic through a victim’s firewall and hide their activity, including data exfiltration.

MITRE ATT&CK – T1090.002, T1048

Command and Control

Persistence was also maintained by the installation of “AnyDesk” via the webshell. Kroll has seen the installation of AnyDesk via a download of the official MSI file on multiple AvosLocker cases. AnyDesk in this case received connections from a Tor node at “178.17.170[.]232”.

MITRE ATT&CK – T1219

A “CobaltStrike” loader was downloaded from “188.166.119[.]212” via the “help.jsp” webshell. Interestingly, the otherwise standard loader script was obfuscated with long encoded variables. The standard XOR key of 35 was present, however, this obfuscation highlights further evidence of tool development and a likely attempt to change the hash of the script by creating different variable names and comments.

AvosLocker Ransomware Update

Figure 4 – First stage Cobalt Strike loader. Note the obfuscated variable

AvosLocker Ransomware Update

Figure 5 – Second stage Cobalt Strike loader. Note the obfuscated variables and comment lines

The use of the vulnerabilities, Chisel, AnyDesk and obfuscated Cobalt Strike could indicate a development in tactics to evade security tooling such as endpoint detection and response and intrusion detection systems.

MITRE ATT&CK – T1573

Escalation

The threat actor leveraged their system-level privileges gained from the ManageEngine exploited webshell to create a local administrator account. Once the account was added, this enabled the threat actor to work on obtaining domain administrator privileges. Several “net” commands were executed before a backup service account with domain administrator privileges was identified; unfortunately, the victim had plaintext passwords enabled. This account was obtained by the threat actor and used to navigate across the network.

MITRE ATT&CK – T1068, T1078

Lateral Movement

Kroll identified the threat actor leveraging both the remote desktop protocol (RDP) and the remote management tool AnyDesk to move laterally and to deploy tooling with the obtained domain account.

MITRE ATT&CK – T1219, T1021

Mission Execution

The threat actor was detected prior to being able to execute the ransomware, but interestingly, they began to delete Veeam backups using the legitimate Veeam backup tool. The actor was identified to be associated with AvosLocker due to matching infrastructure and associated initial access techniques observed on other Kroll cases. It is highly likely that the threat actor was in the latter stages of their mission and preparing to encrypt devices by removing backups. It is also likely that the actor would have attempted to identify and exfiltrate sensitive data before encrypting devices if they had not been interrupted.  Previous AvosLocker cases examined by Kroll have highlighted the binary creation method used in AvosLocker encryption.

Typically, a text file and a PowerShell script is placed on disk. The script is often called “AVO.ps1,” and the text file is named “3.txt”. The “AVO.ps1” encodes the text file into the “AVO.exe” AvosLocker binary.

MITRE ATT&CK – T1486, T1490

Mitre ATT&CK Mapping

Tactic 

Technique

Procedure

TA0001

T1190 

AvosLocker threat actors exploited ManageEngine ADSelfService

TA0007

T1049

AvosLocker threat actors used whoami and net user to conduct initial internal scouting

T1135

AvosLocker attempted to enumerate network shares

TA0005

T1211

AvosLocker attempted to hide activity by exploiting vulnerabilities within Veeam

TA0011

T1090.002

AvosLocker used the Chisel Proxy to tunnel traffic

TA0010

T1048

TA0011

T1219

Avoslocker used AnyDesk to maintain persistence and command and control

TA0004

T1068

AvosLocker utilized the created webshell to create a local administrator account

T1078

AvosLocker identified valid domain administrator accounts and were able to switch accounts

TA0008

T1021

AvosLocker utilized RDP to move laterally

TA0040

T1486

AvosLocker encrypted data

T1490

AvosLocker deleted backups

Recommendations

Recommendation

Observation

Patch and update ManageEngine ADSelfService devices and Veeam backup & replication services

The ManageEngine service was compromised and allowed remote code execution.

The threat actor attempted to hide activity by utilising the Veeam Backup and Replication service.

Disable plaintext passwords

The threat actor was able to access credentials that were stored in plaintext

Monitor PowerShell execution

Ensure PowerShell is logged and create detections for encoded script execution

The threat actor utilised PowerShell execution

Audit user, administrator and service accounts

Ensure accounts have the correct access and privileges. Implement the principle of least privilege.

The exploitation allowed the threat actor to operate with a highly privileged account which could add extra administrator accounts.

Implement multifactor authentication

Multifactor authentication can restrict access to sensitive areas and can prevent lateral movement.

The threat actor was able to access all areas of the network. Implementing multifactor authentication would assist with limiting lateral movement and access to sensitive areas

Review backup strategies

Ensure multiple backups are taken and at least one backup is isolated from the network.

The threat actor deleted backups that were attached to the network

Indicators of Compromise

The following files and hashes have been identified for the incident.

File Name

Comment

MD5 Hash Value

scanner.exe

Netscan

e0e0e26fb4a78c1d2e0479d073a7cc13

veeamcp.exe

Veeam Copy Tool

6a93af683d14d726c7b4f2e80601f711

veeamdl.exe

Veeam Download

5dc568b8e4f111b84baaf9018a82c56d

chisel.dll 

Chisel Proxy

9f07042085f8e127dab3d003fe04d002b8ad8340 

Stop.jar 

Java Archive to create webshells 

CE442BBADE3A3C482C2D288D177B6589

help.jsp

webshell 

775DC9F35BF5057904FB7D6F58795946 

3.txt 

AvosLocker Binary 

7a15c01fa77f79120e2918618fcba5b3  

AVO.ps1 

AvosLocker binary encoder script

022532c575fa9f8157e920bd2d34f2ec 

The following external IP addresses were observed during the incident:

IP Address

Comment

178.17.170[.]23

Tor Node

188.166.119[.]212:80/byebye

Cobalt Strike

AvosLocker Ransomware Update: Backup Targeting and Defense Evasion Techniques /en/insights/publications/cyber/avoslocker-ransomware-update /-/media/kroll-images/insights/avoslocker-ransomware-update/featured-image.jpg 2022-12-05T00:00:00.0000000 publication {E39587AD-8F0B-4FE2-865F-969BC5501096}{3A077BFC-C74A-40AF-A14C-13BCF6E3873E}{7A48DD95-1A63-4784-842F-A2BE81EAFE13}{2F9D4938-E5F0-4F9C-9A20-C4A5DCF79130}{A3E80394-4BDC-4E1D-8266-0653FE885E69} {2DEEE4D2-8278-4C50-B3FF-1563BB257804}

Stay Ahead with Kroll

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

24x7 Incident Response

Enlist experienced responders to handle the entire security incident lifecycle.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Incident Response Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.