Since first discovered in 2021, AvosLocker binaries have undergone slight changes and improvements. The following is a detailed analysis of the last variant used in-the-wild.
Command line arguments
AvosLocker implements multiple command line arguments, as shown in Figure 3, allowing for customization of the ransomware execution based on affiliate requirements.
Figure 3: AvosLocker command line arguments
The threat actor decides what functionality to enable/disable during the execution of the AvosLocker ransomware. When executed, the selected options are displayed in the console as shown below.
AvosLocker creates the mutex Zheic0WaWie6zeiy by default to ensure that only one ransomware process is running at a given time, unless the –nomutex command line argument is provided.
Upon execution, AvosLocker first checks whether it has administrative privileges, and if not, it shows the debug message in the console, The token does not have the specified privilege, and then executes a process termination routine targeting databases, web browsers, and other business applications. The list of processes to be terminated were decoded dynamically using a stack-based string obfuscation algorithm (described later in the report). The process names in Table 1 were terminated.
Table 1: AvosLocker process termination listencsvcthebatmydesktopqosxfssvcconfirefoxinfopathwinwordsteamsynctimenotepadocommonenotemspubthunderbirdagntsvcmydesktopservice excelpowerpntoutlookwordpaddbeng50isqlplussvcsqbcoreserviceoracleocautoupdsdbsnmpmsaccesstbirdconfigocssd sql & visio
Then, AvosLocker performs the following actions:
Deletes Windows shadow copies to prevent the recovery of files using the following commands:
wmic shadowcopy delete /nointeractive
vssadmin.exe Delete Shadows /All /QuietDisables recovery mode and the edits the boot status policy, which prevents access to Windows Recovery Mode with the following commands:
bcdedit /set 20.648000 seconds
After encryption, AvosLocker drops a ransom note named GET_YOUR_FILES_BACK.txtas shown in Figure 5.
Figure 5: AvosLocker ransom note
AvosLocker also changes the Windows desktop wallpaper (shown in Figure 6) to a message similar to the ransom note text file.
Figure 6: AvosLocker ransom note wallpaper
The victim ID mentioned in the ransom note is hardcoded in the AvosLocker binary and the ransom note’s filename is README_FOR_RESTORE. ThreatLabz also observed AvosLocker using different file extensions such as .avos, .avos2, and .avoslinux, with the latter being used for the Linux variant. The Linux variant is very similar to the Windows version, but also possesses the capability to terminate and encrypt ESXi virtual machines.
bcdedit /set default bootstatuspolicy ignoreallfailures
Deletes the Windows event logs to cover up evidence of malicious activity with the following PowerShell command:
Powershell -command “Get-EventLog -LogName *