Mon, Dec 5, 2022
Kroll analysts have identified new tactics used by threat actors associated with the AvosLocker ransomware. Critical vulnerabilities have been exploited within Veeam Backup and Replication, which may be an attempt to hide activity from detection technologies. The proxy tool “Chisel” has been identified, which can encrypt traffic through a victim’s firewall and could be used as a further evasion technique. Kroll has also identified increased obfuscation within a Cobalt Strike loader showing additional sophistication in the threat actor’s toolset compared to other groups and actors.
AvosLocker is operated as a part of the ransomware-as-a-service model and utilizes a double extortion technique, where victims are threatened with exposure of their data online as well as it being held to ransom. The ransomware encrypts files and appends the “.avos”, “.avos2” or “.avoslinux” extension to affected files. The associated ransom note is commonly named “GET_YOUR_FILES_BACK.txt” and provides a unique key that can be provided to the threat actor on their Tor shaming site. The specific vulnerabilities exploited in these new tactics are CVE-2022-26500 and CVE-2022-26501, which appear to be an attempt to exfiltrate data and download threat actor tooling by exploiting Veeam Backup and Replication.
Below is a specific instance where Kroll identified AvosLocker during a ransomware attack. This incident has been mapped to the MITRE ATT&K framework:
Kroll has identified that the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 was exploited to gain an initial foothold within the environment. The threat actor utilized the vulnerability within ManageEngine to create a webshell named “help.jsp”. The webshell was created by a dropped Java Archive (.jar) named “stop.jar” that attempted to inject into “calc.exe” before creating “help.jsp” via encoded PowerShell scripts.
Figure 1 - Stop.jar Functions Detailing Encoded PowerShell Commands to Create the Webshell
This webshell is remarkably similar to a publicly available webshell named “cat.jsp”. It appears that the threat actor amended the webshell to include command execution.
Figure 2 - Command Execution Function of Help.jsp
The webshell was then utilized to conduct initial discovery by running commands such as “whoami and “net user /domain” before placing two other webshells named “test.jsp” and “wg.jsp” on the server. The webshells “test.jsp” and “wg.jsp” appear to provide a simple text entry box, likely for executing commands on the server.
Figure 3 - Test.jsp Command Execution Function
MITRE ATT&CK – T1190
The threat actor performed initial discovery after exploiting ManageEngine with “whoami” and “net user /domain,” however, further reconnaissance was conducted via “Advanced IP Scanner” to identify hosts within the environment and an associated log file was left on disk which detailed the discovered hosts.
The actor actively searched for “Advanced IP Scanner” on bing.com before downloading from the tool’s website. The network scanning tool “netscan” was also placed on disk and is often utilized to identify network shares.
MITRE ATT&CK – T1049, T1135
The threat actor leveraged Veeam Backup and Replication vulnerabilities (CVE-2022-26500 and CVE-2022-26501) named “veeam-ds-client,” based on a publicly available proof-of-concept, that provides the capabilities to exfiltrate data.
It is possible to both download and exfiltrate data with these tools, and it is likely that this was an attempt to leverage exploits to mask malicious activity.
MITRE ATT&CK – T1211
The same incident saw the use of the “Chisel” proxy for encrypted communications between victim devices and the threat actor. The use of Chisel would allow the threat actor to pass traffic through a victim’s firewall and hide their activity, including data exfiltration.
MITRE ATT&CK – T1090.002, T1048
Persistence was also maintained by the installation of “AnyDesk” via the webshell. Kroll has seen the installation of AnyDesk via a download of the official MSI file on multiple AvosLocker cases. AnyDesk in this case received connections from a Tor node at “178.17.170[.]232”.
MITRE ATT&CK – T1219
A “CobaltStrike” loader was downloaded from “188.166.119[.]212” via the “help.jsp” webshell. Interestingly, the otherwise standard loader script was obfuscated with long encoded variables. The standard XOR key of 35 was present, however, this obfuscation highlights further evidence of tool development and a likely attempt to change the hash of the script by creating different variable names and comments.
Figure 4 – First stage Cobalt Strike loader. Note the obfuscated variable
Figure 5 – Second stage Cobalt Strike loader. Note the obfuscated variables and comment lines
The use of the vulnerabilities, Chisel, AnyDesk and obfuscated Cobalt Strike could indicate a development in tactics to evade security tooling such as endpoint detection and response and intrusion detection systems.
MITRE ATT&CK – T1573
The threat actor leveraged their system-level privileges gained from the ManageEngine exploited webshell to create a local administrator account. Once the account was added, this enabled the threat actor to work on obtaining domain administrator privileges. Several “net” commands were executed before a backup service account with domain administrator privileges was identified; unfortunately, the victim had plaintext passwords enabled. This account was obtained by the threat actor and used to navigate across the network.
MITRE ATT&CK – T1068, T1078
Kroll identified the threat actor leveraging both the remote desktop protocol (RDP) and the remote management tool AnyDesk to move laterally and to deploy tooling with the obtained domain account.
MITRE ATT&CK – T1219, T1021
The threat actor was detected prior to being able to execute the ransomware, but interestingly, they began to delete Veeam backups using the legitimate Veeam backup tool. The actor was identified to be associated with AvosLocker due to matching infrastructure and associated initial access techniques observed on other Kroll cases. It is highly likely that the threat actor was in the latter stages of their mission and preparing to encrypt devices by removing backups. It is also likely that the actor would have attempted to identify and exfiltrate sensitive data before encrypting devices if they had not been interrupted. Previous AvosLocker cases examined by Kroll have highlighted the binary creation method used in AvosLocker encryption.
Typically, a text file and a PowerShell script is placed on disk. The script is often called “AVO.ps1,” and the text file is named “3.txt”. The “AVO.ps1” encodes the text file into the “AVO.exe” AvosLocker binary.
MITRE ATT&CK – T1486, T1490
Tactic | Technique | Procedure |
---|---|---|
TA0001 | T1190 | AvosLocker threat actors exploited ManageEngine ADSelfService |
T1021 | AvosLocker utilized RDP to move laterally | |
T1486 | AvosLocker encrypted data | |
T1490 | AvosLocker deleted backups | |
TA0007 | T1049 | AvosLocker threat actors used whoami and net user to conduct initial internal scouting |
TA0005 | T1135 | AvosLocker attempted to enumerate network shares |
TA0011 | T1211 | AvosLocker attempted to hide activity by exploiting vulnerabilities within Veeam |
TA0010 | T1090.002 | AvosLocker used the Chisel Proxy to tunnel traffic |
TA0011 | T1048 | |
TA0004 | T1219 | Avoslocker used AnyDesk to maintain persistence and command and control |
TA0008 | T1068 | AvosLocker utilized the created webshell to create a local administrator account |
TA0040 | T1078 | AvosLocker identified valid domain administrator accounts and were able to switch accounts |
Recommendation | Observation |
---|---|
Patch and update ManageEngine ADSelfService
devices and Veeam backup & replication services | The ManageEngine service was compromised and allowed remote code execution. The threat actor attempted to hide activity by utilising the Veeam Backup and Replication service. |
Disable plaintext passwords | The threat actor was able to access credentials that were stored in plaintext |
Monitor PowerShell execution Ensure PowerShell is logged and create detections for encoded script execution | The threat actor utilised PowerShell execution |
Audit user, administrator and service accounts Ensure accounts have the correct access and privileges. Implement the principle of least privilege. | The exploitation allowed the threat actor to operate with a highly privileged account which could add extra administrator accounts. |
Implement multifactor authentication Multifactor authentication can restrict access to sensitive areas and can prevent lateral movement. | The threat actor was able to access all areas of the network. Implementing multifactor authentication would assist with limiting lateral movement and access to sensitive areas |
Review backup strategies Ensure multiple backups are taken and at least one backup is isolated from the network. | The threat actor deleted backups that were attached to the network |
The following files and hashes have been identified for the incident.
File Name | Comment | MD5 Hash Value |
---|---|---|
scanner.exe | Netscan | e0e0e26fb4a78c1d2e0479d073a7cc13 |
veeamcp.exe | Veeam Copy Tool | 6a93af683d14d726c7b4f2e80601f711 |
veeamdl.exe | Veeam Download | 5dc568b8e4f111b84baaf9018a82c56d |
chisel.dll | Chisel Proxy | 9f07042085f8e127dab3d003fe04d002b8ad8340 |
Stop.jar | Java Archive to create webshells | CE442BBADE3A3C482C2D288D177B6589 |
help.jsp | webshell | 775DC9F35BF5057904FB7D6F58795946 |
3.txt | AvosLocker Binary | 7a15c01fa77f79120e2918618fcba5b3 |
AVO.ps1 | AvosLocker binary encoder script | 022532c575fa9f8157e920bd2d34f2ec |
IP Address | Comment |
---|---|
178.17.170[.]23 | Tor Node |
188.166.119[.]212:80/byebye | Cobalt Strike |
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.