Post Content\u00a0\u00a0<\/p>\n

\u200b<\/p>\n

Ransomware Analysis<\/h2>\n

Since first discovered in 2021, AvosLocker binaries have undergone slight changes and improvements. The following is a detailed analysis of the last variant used in-the-wild.<\/p>\n

Command line arguments<\/h3>\n

AvosLocker implements multiple command line arguments, as shown in Figure 3, allowing for customization of the ransomware execution based on affiliate requirements.<\/p>\n\n

Figure 3: AvosLocker command line arguments<\/p>\n

The threat actor decides what functionality to enable\/disable during the execution of the AvosLocker ransomware. When executed, the selected options are displayed in the console as shown below.<\/p>\n

\nBuild: SonicBoom
\nb_bruteforce_smb_enable: 0
\nb_logical_disable: 0
\nb_network_disable: 1
\nb_mutex_disable: 0
\nconcurrent_threads_num_max: 200<\/p>\n

AvosLocker creates the mutex Zheic0WaWie6zeiy<\/em> by default to ensure that only one ransomware process is running at a given time, unless the –nomu<\/em>tex<\/em> command line argument is provided.<\/p>\n

Pre-encryption measures<\/h2>\n

Upon execution, AvosLocker first checks whether it has administrative privileges, and if not, it shows the debug message in the console, The token does not have the specified privilege<\/em>, <\/strong>and then executes a process termination routine targeting databases, web browsers, and other business applications. The list of processes to be terminated were decoded dynamically using a stack-based string obfuscation algorithm (described later in the report). The process names in Table 1 were terminated.<\/p>\n

Table 1: AvosLocker process termination listencsvcthebatmydesktopqosxfssvcconfirefoxinfopathwinwordsteamsynctimenotepadocommonenotemspubthunderbirdagntsvcmydesktopservice excelpowerpntoutlookwordpaddbeng50isqlplussvcsqbcoreserviceoracleocautoupdsdbsnmpmsaccesstbirdconfigocssd sql & visio<\/p>\n

Then, AvosLocker performs the following actions:<\/p>\n

Deletes Windows shadow copies to prevent the recovery of files using the following commands:
\n
\nwmic shadowcopy delete \/nointeractive
\nvssadmin.exe Delete Shadows \/All \/QuietDisables recovery mode and the edits the boot status policy, which prevents access to Windows Recovery Mode with the following commands:
\n
\nbcdedit \/set 20.648000 seconds<\/p>\n

After encryption, AvosLocker drops a ransom note named GET_YOUR_FILES_BACK.txt<\/em>as shown in Figure 5.<\/p>\n\n

Figure 5: AvosLocker ransom note<\/p>\n

AvosLocker also changes the Windows desktop wallpaper (shown in Figure 6) to a message similar to the ransom note text file.<\/p>\n

Figure 6: AvosLocker ransom note wallpaper<\/p>\n

The victim ID mentioned in the ransom note is hardcoded in the AvosLocker binary and the ransom note\u2019s filename is README_FOR_RESTORE<\/em>. ThreatLabz also observed AvosLocker using different file extensions such as .avos<\/em>, .avos2<\/em>, and .avoslinux<\/em>, with the latter being used for the Linux variant. The Linux variant is very similar to the Windows version, but also possesses the capability to terminate and encrypt ESXi virtual machines.<\/p>\n\n\n\n

\u00a0\u00a0 recoveryenabled No
\nbcdedit \/set default bootstatuspolicy ignoreallfailures
\nDeletes the Windows event logs to cover up evidence of malicious activity with the following PowerShell command:
\n
\nPowershell -command “Get-EventLog -LogName * <\/p>","protected":false},"excerpt":{"rendered":"

Post Content\u00a0\u00a0 \u200b Ransomware Analysis Since first discovered in 2021, […]<\/p>\n","protected":false},"author":0,"featured_media":1525,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-1524","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zenith-zscaler"],"yoast_head":"\n