Trend Micro finds that AvosLocker can disable antivirus software

According to Trend Micro, AvosLocker ransomware is capable of disabling antivirus software to evade detection.

In a blog post on Monday, Trend Micro researchers Christopher Ordonez and Alvin Nieto detailed the relatively new technique that exploited a legitimate rootkit in Avast’s antivirus offering. Not only did the operators behind AvosLocker bypass security features, but they also scanned vulnerable Log4Shell endpoints to transfer the callback server to the group’s command and control server.

In both cases, the attackers took advantage of previously disclosed vulnerabilities, a recurring concern for companies.

AvosLocker is relatively new to the ransomware threat landscape. Trend Micro, as well as Palo Alto Networks, noted that its emergence last year may have filled a void left by REvil’s shutdown. Although the tactics observed are consistent with previous AvosLocker activity, one important aspect of the attack marked a first for Trend Micro researchers.

“This is the first sample we have observed in the US with the ability to disable a defense solution using a legitimate Avast Anti-Rootkit driver file (asWarPot.sys),” Ordonez wrote. and Nieto in the blog.

Ordonez and Nieto suspect the Zoho ManageEngine Active Directory SelfService Plus exploit to be the initial attack vector, based on indications that actors have exploited the known vulnerability called CVE-2021-40539. The remote code execution bug was originally disclosed last year by security vendor Synacktiv.

By accessing the AD, the threat actors were able to create a new user account to gain administrative access inside the infected system. They used a PowerShell script to download the necessary tools such as AnyDesk, which allows remote access. From there, the researchers observed that the PowerShell script disabled security products by exploiting the legitimate Avast Anti-Rootkit driver. The driver was integral to stopping any security product process it discovered.

“Once inside, the trend continues to abuse legitimate tools and functions to hide malicious activities and the presence of actors becomes more sophisticated. In this case, attackers were able to study and use Avast’s pilot in the part of their arsenal to disable the security of other vendors’ products,” Ordonez and Nieto wrote.

Trend Micro said it notified Avast, which confirmed the vulnerability was found in an “older version of its aswArpot.sys driver”, which was patched in June 2021.

“We also worked closely with Microsoft, so they released a block in the Windows OS (10 and 11) so that the old version of the Avast driver cannot be loaded into memory,” says the blog. “Microsoft’s update for the Windows operating system was released in February as an optional update, and Microsoft’s security release in April, so fully updated machines running Windows 10 and 11 are not vulnerable to this type of attack.”

Unfortunately, companies are struggling to keep pace with updates, as highlighted in the report and recent government alerts. For example, law enforcement in five countries, including the United States, last month issued a warning about the most commonly exploited bugs of 2021. Log4Shell and CVE-2021-40539 have been listed as they continue to pose a security risk; and threat actors are taking notice.

“As with previously documented malware and ransomware groups, AvosLocker takes advantage of various vulnerabilities that have not yet been patched to enter organizations’ networks,” Ordonez and Nieto wrote.

Comments are closed.