AvosLocker

AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.[1][2][3]

ID: S1053
Type: MALWARE
Platforms: Linux, Windows
Contributors: Flavio Costa, Cisco
Version: 1.0
Created: 11 January 2023
Last Modified: 15 February 2023

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

AvosLocker has been executed via the RunOnce Registry key to run itself on safe mode.[2]

Enterprise T1486 Data Encrypted for Impact

AvosLocker has encrypted files and network resources using AES-256 and added an .avos, .avos2, or .AvosLinux extension to filenames.[1][2][4][3]

Enterprise T1140 Deobfuscate/Decode Files or Information

AvosLocker has deobfuscated XOR-encoded strings.[1]

Enterprise T1083 File and Directory Discovery

AvosLocker has searched for files and directories on a compromised network.[1][2]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

AvosLocker has hidden its console window by using the ShowWindow API function.[1]

Enterprise T1562 .009 Impair Defenses: Safe Mode Boot

AvosLocker can restart a compromised machine in safe mode.[2][5]

Enterprise T1036 .008 Masquerading: Masquerade File Type

AvosLocker has been disguised as a .jpg file.[2]

Enterprise T1106 Native API

AvosLocker has used a variety of Windows API calls, including NtCurrentPeb and GetLogicalDrives.[1]

Enterprise T1135 Network Share Discovery

AvosLocker has enumerated shared drives on a compromised network.[1][3]

Enterprise T1027 Obfuscated Files or Information

AvosLocker has used XOR-encoded strings.[1]

.007 Dynamic API Resolution

AvosLocker has used obfuscated API calls that are retrieved by their checksums.[1]

Enterprise T1057 Process Discovery

AvosLocker has discovered system processes by calling RmGetList.[1]

Enterprise T1489 Service Stop

AvosLocker has terminated specific processes before encryption.[1]

Enterprise T1529 System Shutdown/Reboot

AvosLocker’s Linux variant has terminated ESXi virtual machines.[2]

Enterprise T1124 System Time Discovery

AvosLocker has checked the system time before and after encryption.[1]

Campaigns

ID Name Description
C0018 C0018

During C0018, the threat actors used AvosLocker ransomware to encrypt the compromised network.[5][4]

References