VTA-00414 – AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection
Recently, there is a new variant of AvosLocker ransomware that makes use of a legitimate driver file to disable antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. AvosLocker, one of the newer ransomware families to fill the vacuum left by REvil, has been linked to a number of attacks that target critical infrastructure in the U.S., including financial services and government facilities. The entry point for the attack is believed to have been facilitated by leveraging an exploit for a remote code execution flaw in Zoho’s ManageEngine ADSelfService Plus software (CVE-2021-40539) to run an HTML application (HTA) hosted on a remote server.
Severity:
High
Attack Surfaces:
Endpoint
Tactics:
Command and Control, Defense Evasion, Execution, Impact, Initial Access, Privilege Escalation
Techniques:
Impair Defenses, Rootkit, Software Deployment Tools, Process Discovery, Command and Scripting Interpreter, Phishing, Exploit Public-Facing Application, Exploitation for Privilege Escalation, Remote Desktop Protocol
Active Defense Tactics:
Disrupt
Active Defense Techniques:
Baseline, Security Controls, Software Manipulation
SuperPRO’s Threat Countermeasures Procedures:
1) Adding the IOC signature into endpoint security protection as the custom threat detection rules. Refer to the provided IOC above to create a custom rule to block the respective File Hashes and Hostname, if necessary.
2) The update from Microsoft for the Windows operating system was published in February as an optional update, and in Microsoft’s security release in April, so fully updated machines running Windows 10 and 11 are not vulnerable to this kind of attack.
3) The principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions should be employed
4) Maximum number of error log files’ should be set to greater than or equal to ’12’
5) Ensure ‘Network security: Configure encryption types allowed for Kerberos’ is set to ‘AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types’
6) Ensure ‘Turn on PowerShell Script Block Logging’ is set to ‘Disabled’
7) Ensure ‘super_priv’ Is Not Set to ‘Y’ for Non-Administrative Users
8) Antimalware tool should be updated and configured.
9) IDS/IPS should be configured properly.
10) Enforce data protection, backup, and recovery measures. When available, use multifactor authentication in all devices and platforms.
Contributed by: XbladE
Leave a Reply