Proactive Key Takeaways
- Kroll has identified new tactics targeting backup systems being used by threat actors associated with the distribution of AvosLocker ransomware.
- In these instances, Kroll has observed actors attempting to leverage vulnerabilities within Veeam Backup and Replication software (CVE-2022-26500 and CVE-2022-26501) for possible data exfiltration, likely to evade detection by appearing as legitimate activity.
- In the cases Kroll observed, actors are gaining initial access by exploiting a vulnerability in Zoho ManageEngine ADSelfService plus (CVE-2021-40539) and using tools such as Cobalt Strike Loader and the proxy Chisel tool to hide their activity while on the system.
Summary
Kroll analysts have identified new tactics used by threat actors associated with the AvosLocker ransomware. Critical vulnerabilities have been exploited within Veeam Backup and Replication, which may be an attempt to hide activity from detection technologies. The proxy tool “Chisel” has been identified, which can encrypt traffic through a victim’s firewall and could be used as a further evasion technique. Kroll has also identified increased obfuscation within a Cobalt Strike loader showing additional sophistication in the threat actor’s toolset compared to other groups and actors.
AvosLocker is operated as a part of the ransomware-as-a-service model and utilizes a double extortion technique, where victims are threatened with exposure of their data online as well as it being held to ransom. The ransomware encrypts files and appends the “.avos”, “.avos2” or “.avoslinux” extension to affected files. The associated ransom note is commonly named “GET_YOUR_FILES_BACK.txt” and provides a unique key that can be provided to the threat actor on their Tor shaming site. The specific vulnerabilities exploited in these new tactics are CVE-2022-26500 and CVE-2022-26501, which appear to be an attempt to exfiltrate data and download threat actor tooling by exploiting Veeam Backup and Replication.
Tactics, Techniques and Procedures (TTPs)
Below is a specific instance where Kroll identified AvosLocker during a ransomware attack. This incident has been mapped to the MITRE ATT&K framework:
Initial Exploit
Kroll has identified that the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 was exploited to gain an initial foothold within the environment. The threat actor utilized the vulnerability within ManageEngine to create a webshell named “help.jsp”. The webshell was created by a dropped Java Archive (.jar) named “stop.jar” that attempted to inject into “calc.exe” before creating “help.jsp” via encoded PowerShell scripts.
Figure 1 - Stop.jar Functions Detailing Encoded PowerShell Commands to Create the Webshell
This webshell is remarkably similar to a publicly available webshell named “cat.jsp”. It appears that the threat actor amended the webshell to include command execution.
Figure 2 - Command Execution Function of Help.jsp
The webshell was then utilized to conduct initial discovery by running commands such as “whoami and “net user /domain” before placing two other webshells named “test.jsp” and “wg.jsp” on the server. The webshells “test.jsp” and “wg.jsp” appear to provide a simple text entry box, likely for executing commands on the server.
Figure 3 - Test.jsp Command Execution Function
MITRE ATT&CK – T1190
Internal Scouting
The threat actor performed initial discovery after exploiting ManageEngine with “whoami” and “net user /domain,” however, further reconnaissance was conducted via “Advanced IP Scanner” to identify hosts within the environment and an associated log file was left on disk which detailed the discovered hosts.
The actor actively searched for “Advanced IP Scanner” on bing.com before downloading from the tool’s website. The network scanning tool “netscan” was also placed on disk and is often utilized to identify network shares.
MITRE ATT&CK – T1049, T1135
Toolkit Deployment
The threat actor leveraged Veeam Backup and Replication vulnerabilities (CVE-2022-26500 and CVE-2022-26501) named “veeam-ds-client,” based on a publicly available proof-of-concept, that provides the capabilities to exfiltrate data.
It is possible to both download and exfiltrate data with these tools, and it is likely that this was an attempt to leverage exploits to mask malicious activity.
MITRE ATT&CK – T1211
Defense Evasion
The same incident saw the use of the “Chisel” proxy for encrypted communications between victim devices and the threat actor. The use of Chisel would allow the threat actor to pass traffic through a victim’s firewall and hide their activity, including data exfiltration.
MITRE ATT&CK – T1090.002, T1048
Command and Control
Persistence was also maintained by the installation of “AnyDesk” via the webshell. Kroll has seen the installation of AnyDesk via a download of the official MSI file on multiple AvosLocker cases. AnyDesk in this case received connections from a Tor node at “178.17.170[.]232”.
MITRE ATT&CK – T1219
A “CobaltStrike” loader was downloaded from “188.166.119[.]212” via the “help.jsp” webshell. Interestingly, the otherwise standard loader script was obfuscated with long encoded variables. The standard XOR key of 35 was present, however, this obfuscation highlights further evidence of tool development and a likely attempt to change the hash of the script by creating different variable names and comments.
Figure 4 – First stage Cobalt Strike loader. Note the obfuscated variable
Figure 5 – Second stage Cobalt Strike loader. Note the obfuscated variables and comment lines
The use of the vulnerabilities, Chisel, AnyDesk and obfuscated Cobalt Strike could indicate a development in tactics to evade security tooling such as endpoint detection and response and intrusion detection systems.
MITRE ATT&CK – T1573
Escalation
The threat actor leveraged their system-level privileges gained from the ManageEngine exploited webshell to create a local administrator account. Once the account was added, this enabled the threat actor to work on obtaining domain administrator privileges. Several “net” commands were executed before a backup service account with domain administrator privileges was identified; unfortunately, the victim had plaintext passwords enabled. This account was obtained by the threat actor and used to navigate across the network.
MITRE ATT&CK – T1068, T1078
Lateral Movement
Kroll identified the threat actor leveraging both the remote desktop protocol (RDP) and the remote management tool AnyDesk to move laterally and to deploy tooling with the obtained domain account.
MITRE ATT&CK – T1219, T1021
Mission Execution
The threat actor was detected prior to being able to execute the ransomware, but interestingly, they began to delete Veeam backups using the legitimate Veeam backup tool. The actor was identified to be associated with AvosLocker due to matching infrastructure and associated initial access techniques observed on other Kroll cases. It is highly likely that the threat actor was in the latter stages of their mission and preparing to encrypt devices by removing backups. It is also likely that the actor would have attempted to identify and exfiltrate sensitive data before encrypting devices if they had not been interrupted. Previous AvosLocker cases examined by Kroll have highlighted the binary creation method used in AvosLocker encryption.
Typically, a text file and a PowerShell script is placed on disk. The script is often called “AVO.ps1,” and the text file is named “3.txt”. The “AVO.ps1” encodes the text file into the “AVO.exe” AvosLocker binary.
MITRE ATT&CK – T1486, T1490
