Image: iStrfry, Marcus (unsplash)
The U.S. government recently updated its information on the techniques employed by AvosLocker ransomware affiliates. The revised list now mentions the use of open-source utilities and custom-built tools, including PowerShell and batch scripts.
According to a joint advisory by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), they have unveiled a YARA rule designed to identify malware that masquerades as an authentic network monitoring utility.
AvosLocker ransomware groups reportedly utilize legitimate and open-source software to remotely administer systems, compromising and extracting data from large-scale enterprise networks.
The FBI has recorded these malicious actors employing custom PowerShell, web shells, and batch scripts to navigate networks, escalate their access rights, and deactivate security features on various systems.
The agencies’ updated advisory lists several tools and software associated with the AvosLocker ransomware group:
- Remote administration tools such as Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent.
- Open-source utilities for network tunneling, including Ligolo and Chisel.
- Adversary emulation platforms like Cobalt Strike and Sliver for centralized management.
- Lazagne and Mimikatz are utilized for obtaining credentials.
- FileZilla and Rclone are employed for data extraction.
- Other tools linked to AvosLocker attacks comprise Notepad++, RDP Scanner, and 7zip. Additionally, conventional native Windows tools, including PsExec and Nltest, have been detected.
AvosLocker’s attack techniques also encompass malware labeled as NetMonitor.exe. This malicious software imitates an authentic network monitoring tool. The functionality of NetMonitor allows it to consistently communicate with the network and serve as a reverse conduit, granting the malicious actors remote access.
The FBI, using insights from a sophisticated digital forensics team, has developed the mentioned YARA rule to recognize the presence of NetMonitor malware within networks.
The FBI and CISA highlighted that AvosLocker’s reach extends across various critical infrastructure sectors within the United States, influencing a range of operating environments.
Protection Measures Against AvosLocker Ransomware
The FBI and CISA have provided several suggestions for institutions. They emphasize the importance of using application control methods to manage software execution, particularly ensuring the sanctioned operation of specific programs. There’s also a stress on restricting the functionality of unapproved utilities, especially those allowing remote access.
Effective protective strategies include limiting remote desktop service access, setting boundaries on login attempts, and advocating for the use of phishing-resistant multi-factor authentication.
Other pivotal recommendations consist of limiting user rights, deactivating certain functionalities like command-line and scripting for specific roles, and disabling PowerShell for users who don’t necessitate it.
It remains a consistent advisory for institutions to maintain software updates, use elongated passwords, hash and salt shared login credentials, and segment their networks.
This advisory complements previous information disseminated in mid-March, highlighting that certain AvosLocker ransomware attacks leveraged flaws in onsite Microsoft Exchange servers.