A Retrospective on AvosLocker Niraj Shivtarkar

Post Content  

​

Ransomware Analysis

Since first discovered in 2021, AvosLocker binaries have undergone slight changes and improvements. The following is a detailed analysis of the last variant used in-the-wild.

Command line arguments

AvosLocker implements multiple command line arguments, as shown in Figure 3, allowing for customization of the ransomware execution based on affiliate requirements.

Figure 3: AvosLocker command line arguments

The threat actor decides what functionality to enable/disable during the execution of the AvosLocker ransomware. When executed, the selected options are displayed in the console as shown below.

Build: SonicBoom
b_bruteforce_smb_enable: 0
b_logical_disable: 0
b_network_disable: 1
b_mutex_disable: 0
concurrent_threads_num_max: 200

AvosLocker creates the mutex Zheic0WaWie6zeiy by default to ensure that only one ransomware process is running at a given time, unless the –nomutex command line argument is provided.

Pre-encryption measures

Upon execution, AvosLocker first checks whether it has administrative privileges, and if not, it shows the debug message in the console, The token does not have the specified privilege, and then executes a process termination routine targeting databases, web browsers, and other business applications. The list of processes to be terminated were decoded dynamically using a stack-based string obfuscation algorithm (described later in the report). The process names in Table 1 were terminated.

Table 1: AvosLocker process termination listencsvcthebatmydesktopqosxfssvcconfirefoxinfopathwinwordsteamsynctimenotepadocommonenotemspubthunderbirdagntsvcmydesktopservice excelpowerpntoutlookwordpaddbeng50isqlplussvcsqbcoreserviceoracleocautoupdsdbsnmpmsaccesstbirdconfigocssd sql & visio

Then, AvosLocker performs the following actions:

Deletes Windows shadow copies to prevent the recovery of files using the following commands:

wmic shadowcopy delete /nointeractive
vssadmin.exe Delete Shadows /All /QuietDisables recovery mode and the edits the boot status policy, which prevents access to Windows Recovery Mode with the following commands:

bcdedit /set 20.648000 seconds

After encryption, AvosLocker drops a ransom note named GET_YOUR_FILES_BACK.txtas shown in Figure 5.

Figure 5: AvosLocker ransom note

AvosLocker also changes the Windows desktop wallpaper (shown in Figure 6) to a message similar to the ransom note text file.

Figure 6: AvosLocker ransom note wallpaper

The victim ID mentioned in the ransom note is hardcoded in the AvosLocker binary and the ransom note’s filename is README_FOR_RESTORE. ThreatLabz also observed AvosLocker using different file extensions such as .avos, .avos2, and .avoslinux, with the latter being used for the Linux variant. The Linux variant is very similar to the Windows version, but also possesses the capability to terminate and encrypt ESXi virtual machines.

   recoveryenabled No
bcdedit /set default bootstatuspolicy ignoreallfailures
Deletes the Windows event logs to cover up evidence of malicious activity with the following PowerShell command:

Powershell -command “Get-EventLog -LogName *