The US government has updated the list of tools used by AvosLocker ransomware for attacks, including open source utilities as well as custom PowerShell and batch scripts.

In a joint cybersecurity advisory, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) also share the YARA rule for detecting malware masquerading as a legitimate network monitoring tool.

Mix of open source and legitimate software

AvosLocker ransomware is known to use legitimate software and open source code for remote system administration to compromise and steal data from corporate networks.

The FBI observed how attackers used a custom PowerShell shell, web shells, and batch scripts to move between networks, elevate privileges, and disable security agents on systems.

In the updated message, the agencies shared the following tools as part of the AvosLocker affiliate ransomware arsenal:

• Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, Atera Agent remote administration tools for backdoor access
• Open source network tunneling utilities: Ligolo, Chisel
• Cobalt Strike and Sliver enemy emulation systems for command and control
• Lasagna and Mimikatz for the harvest
• FileZilla and Rclone will steal data

Additional common tools found in AvosLocker attacks include Notepad++, RDP Scanner, and 7zip. Legitimate native Windows tools such as PsExec and Nltest were also detected.

Another component of the AvosLocker attacks is a piece of malware called NetMonitor.exe, which mimics a legitimate process and “masquerades as a legitimate network monitoring tool.”

However, NetMonitor is a persistent backup tool that arrives from the network every five minutes and acts as a reverse proxy, allowing threat actors to remotely connect to a compromised network.

Using investigative details from a “group of sophisticated digital experts,” the FBI created the following YARA rule to detect NetMonitor malware on the network.

rule NetMonitor 
{
  meta:
    author = "FBI"
    source = "FBI"
    sharing = "TLP:CLEAR"
    status = "RELEASED"
    description = "Yara rule to detect NetMonitor.exe"
    category = "MALWARE"
    creation_date = "2023-05-05"
  strings:
    $rc4key = {11 4b 8c dd 65 74 22 c3}
    $op0 = {c6 [3] 00 00 05 c6 [3] 00 00 07 83 [3] 00 00 05 0f 85 [4] 83 [3] 00 00 01 75 ?? 8b [2] 4c 8d [2] 4c 8d [3] 00 00 48 8d [3] 00 00 48 8d [3] 00 00 48 89 [3] 48 89 ?? e8}
  condition:
    uint16(0) == 0x5A4D
    and filesize < 50000
    and any of them
}

"AvosLocker affiliates compromised organizations across multiple critical infrastructure sectors in the United States, impacting Windows, Linux, and VMware ESXi environments" - FBI and CISA

AvosLocker ransomware protection

CISA and the FBI recommend that organizations implement application control mechanisms to control the execution of software, including authorized applications, and to prevent the launch of unauthorized utilities, especially portable versions of remote access tools.

One best practice for protecting against threats is to limit the use of remote desktop services such as RDP by limiting the number of login attempts and implementing phishing-resistant multi-factor authentication (MFA).

Enforcing the principle of least privilege is also part of the recommendations, and organizations should disable the use of command line, scripts, and PowerShell for users who do not need them for work.

Updating software and code to the latest version, using longer passwords, storing them in hashed form and converting logins if they are shared, and network segmentation remain the same recommendations from security experts.

The current cybersecurity advisory adds to information provided in a previous report published in mid-March, which noted that some AvosLocker ransomware attacks exploited vulnerabilities in on-premises Microsoft Exchange servers.