Mon, Dec 5, 2022

AvosLocker Ransomware Update: Backup Targeting and Defense Evasion Techniques

Proactive Key Takeaways

  • Kroll has identified new tactics targeting backup systems being used by threat actors associated with the distribution of AvosLocker ransomware.
  • In these instances, Kroll has observed actors attempting to leverage vulnerabilities within Veeam Backup and Replication software (CVE-2022-26500 and CVE-2022-26501) for possible data exfiltration, likely to evade detection by appearing as legitimate activity.
  • In the cases Kroll observed, actors are gaining initial access by exploiting a vulnerability in Zoho ManageEngine ADSelfService plus (CVE-2021-40539) and using tools such as Cobalt Strike Loader and the proxy Chisel tool to hide their activity while on the system.

Summary

Kroll analysts have identified new tactics used by threat actors associated with the AvosLocker ransomware. Critical vulnerabilities have been exploited within Veeam Backup and Replication, which may be an attempt to hide activity from detection technologies. The proxy tool “Chisel” has been identified, which can encrypt traffic through a victim’s firewall and could be used as a further evasion technique. Kroll has also identified increased obfuscation within a Cobalt Strike loader showing additional sophistication in the threat actor’s toolset compared to other groups and actors.

AvosLocker is operated as a part of the ransomware-as-a-service model and utilizes a double extortion technique, where victims are threatened with exposure of their data online as well as it being held to ransom. The ransomware encrypts files and appends the “.avos”, “.avos2” or “.avoslinux” extension to affected files. The associated ransom note is commonly named “GET_YOUR_FILES_BACK.txt” and provides a unique key that can be provided to the threat actor on their Tor shaming site. The specific vulnerabilities exploited in these new tactics are CVE-2022-26500 and CVE-2022-26501, which appear to be an attempt to exfiltrate data and download threat actor tooling by exploiting Veeam Backup and Replication.

Tactics, Techniques and Procedures (TTPs)

Below is a specific instance where Kroll identified AvosLocker during a ransomware attack. This incident has been mapped to the MITRE ATT&K framework:

AvosLocker Ransomware Update

Initial Exploit

Kroll has identified that the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 was exploited to gain an initial foothold within the environment. The threat actor utilized the vulnerability within ManageEngine to create a webshell named “help.jsp”. The webshell was created by a dropped Java Archive (.jar) named “stop.jar” that attempted to inject into “calc.exe” before creating “help.jsp” via encoded PowerShell scripts.

AvosLocker Ransomware Update

Figure 1 - Stop.jar Functions Detailing Encoded PowerShell Commands to Create the Webshell

This webshell is remarkably similar to a publicly available webshell named “cat.jsp”. It appears that the threat actor amended the webshell to include command execution.

AvosLocker Ransomware Update

Figure 2 - Command Execution Function of Help.jsp

The webshell was then utilized to conduct initial discovery by running commands such as “whoami and “net user /domain” before placing two other webshells named “test.jsp” and “wg.jsp” on the server. The webshells “test.jsp” and “wg.jsp” appear to provide a simple text entry box, likely for executing commands on the server.

AvosLocker Ransomware Update

Figure 3 - Test.jsp Command Execution Function

MITRE ATT&CK – T1190

Internal Scouting

The threat actor performed initial discovery after exploiting ManageEngine with “whoami” and “net user /domain,” however, further reconnaissance was conducted via “Advanced IP Scanner” to identify hosts within the environment and an associated log file was left on disk which detailed the discovered hosts.

The actor actively searched for “Advanced IP Scanner” on bing.com before downloading from the tool’s website. The network scanning tool “netscan” was also placed on disk and is often utilized to identify network shares.

MITRE ATT&CK – T1049, T1135

Toolkit Deployment

The threat actor leveraged Veeam Backup and Replication vulnerabilities (CVE-2022-26500 and CVE-2022-26501) named “veeam-ds-client,” based on a publicly available proof-of-concept, that provides the capabilities to exfiltrate data.

It is possible to both download and exfiltrate data with these tools, and it is likely that this was an attempt to leverage exploits to mask malicious activity.

MITRE ATT&CK – T1211

Defense Evasion

The same incident saw the use of the “Chisel” proxy for encrypted communications between victim devices and the threat actor. The use of Chisel would allow the threat actor to pass traffic through a victim’s firewall and hide their activity, including data exfiltration.

MITRE ATT&CK – T1090.002, T1048

Command and Control

Persistence was also maintained by the installation of “AnyDesk” via the webshell. Kroll has seen the installation of AnyDesk via a download of the official MSI file on multiple AvosLocker cases. AnyDesk in this case received connections from a Tor node at “178.17.170[.]232”.

MITRE ATT&CK – T1219

A “CobaltStrike” loader was downloaded from “188.166.119[.]212” via the “help.jsp” webshell. Interestingly, the otherwise standard loader script was obfuscated with long encoded variables. The standard XOR key of 35 was present, however, this obfuscation highlights further evidence of tool development and a likely attempt to change the hash of the script by creating different variable names and comments.

AvosLocker Ransomware Update

Figure 4 – First stage Cobalt Strike loader. Note the obfuscated variable

AvosLocker Ransomware Update

Figure 5 – Second stage Cobalt Strike loader. Note the obfuscated variables and comment lines

The use of the vulnerabilities, Chisel, AnyDesk and obfuscated Cobalt Strike could indicate a development in tactics to evade security tooling such as endpoint detection and response and intrusion detection systems.

MITRE ATT&CK – T1573

Escalation

The threat actor leveraged their system-level privileges gained from the ManageEngine exploited webshell to create a local administrator account. Once the account was added, this enabled the threat actor to work on obtaining domain administrator privileges. Several “net” commands were executed before a backup service account with domain administrator privileges was identified; unfortunately, the victim had plaintext passwords enabled. This account was obtained by the threat actor and used to navigate across the network.

MITRE ATT&CK – T1068, T1078

Lateral Movement

Kroll identified the threat actor leveraging both the remote desktop protocol (RDP) and the remote management tool AnyDesk to move laterally and to deploy tooling with the obtained domain account.

MITRE ATT&CK – T1219, T1021

Mission Execution

The threat actor was detected prior to being able to execute the ransomware, but interestingly, they began to delete Veeam backups using the legitimate Veeam backup tool. The actor was identified to be associated with AvosLocker due to matching infrastructure and associated initial access techniques observed on other Kroll cases. It is highly likely that the threat actor was in the latter stages of their mission and preparing to encrypt devices by removing backups. It is also likely that the actor would have attempted to identify and exfiltrate sensitive data before encrypting devices if they had not been interrupted.  Previous AvosLocker cases examined by Kroll have highlighted the binary creation method used in AvosLocker encryption.

Typically, a text file and a PowerShell script is placed on disk. The script is often called “AVO.ps1,” and the text file is named “3.txt”. The “AVO.ps1” encodes the text file into the “AVO.exe” AvosLocker binary.

MITRE ATT&CK – T1486, T1490

Mitre ATT&CK Mapping

Tactic
Technique
Procedure
TA0001
T1190
AvosLocker threat actors exploited ManageEngine ADSelfService
T1021
AvosLocker utilized RDP to move laterally
T1486
AvosLocker encrypted data
T1490
AvosLocker deleted backups
TA0007
T1049
AvosLocker threat actors used whoami and net user to conduct initial internal scouting
TA0005
T1135
AvosLocker attempted to enumerate network shares
TA0011
T1211
AvosLocker attempted to hide activity by exploiting vulnerabilities within Veeam
TA0010
T1090.002
AvosLocker used the Chisel Proxy to tunnel traffic
TA0011
T1048
TA0004
T1219
Avoslocker used AnyDesk to maintain persistence and command and control
TA0008
T1068
AvosLocker utilized the created webshell to create a local administrator account
TA0040
T1078
AvosLocker identified valid domain administrator accounts and were able to switch accounts

Recommendations

Recommendation
Observation
Patch and update ManageEngine ADSelfService devices and Veeam backup & replication services
The ManageEngine service was compromised and allowed remote code execution.
The threat actor attempted to hide activity by utilising the Veeam Backup and Replication service.
Disable plaintext passwords
The threat actor was able to access credentials
that were stored in plaintext
Monitor PowerShell execution
Ensure PowerShell is logged and create detections for encoded script execution
The threat actor utilised PowerShell execution
Audit user, administrator and service accounts
Ensure accounts have the correct access and privileges. Implement the principle of least privilege.
The exploitation allowed the threat actor to operate with a highly privileged account which could add extra administrator accounts.
Implement multifactor authentication
Multifactor authentication can restrict access to sensitive areas and can prevent lateral movement.
The threat actor was able to access all areas of the network.
Implementing multifactor authentication would assist with limiting lateral movement and access to sensitive areas
Review backup strategies
Ensure multiple backups are taken and at least one backup is isolated from the network.
The threat actor deleted backups that were attached to the network

Indicators of Compromise

The following files and hashes have been identified for the incident.

File Name
Comment
MD5 Hash Value
scanner.exe
Netscan
e0e0e26fb4a78c1d2e0479d073a7cc13
veeamcp.exe
Veeam Copy Tool
6a93af683d14d726c7b4f2e80601f711
veeamdl.exe
Veeam Download
5dc568b8e4f111b84baaf9018a82c56d
chisel.dll
Chisel Proxy
9f07042085f8e127dab3d003fe04d002b8ad8340
Stop.jar
Java Archive to create webshells
CE442BBADE3A3C482C2D288D177B6589
help.jsp
webshell
775DC9F35BF5057904FB7D6F58795946
3.txt
AvosLocker Binary
7a15c01fa77f79120e2918618fcba5b3
AVO.ps1
AvosLocker binary encoder script
022532c575fa9f8157e920bd2d34f2ec
The following external IP addresses were observed during the incident:
IP Address
Comment
178.17.170[.]23
Tor Node
188.166.119[.]212:80/byebye
Cobalt Strike

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.


Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.