FBI shares YARA rule for malware used in AvosLocker ransomware attacks

The U.S. government has updated the list of tools AvosLocker ransomware affiliates use in attacks to include open-source utilities along with custom PowerShell, and batch scripts.

In a joint cybersecurity advisory, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) also share a YARA rule for detecting malware in the guise of a legitimate network monitoring tool.

Mixing in open-source and legitimate software

AvosLocker ransomware affiliates are known to use legitimate software and open-source code for remote system administration to compromise and exfiltrate data from enterprise networks.

The FBI observed the threat actors using custom PowerShell, web shells, and batch scripts to move laterally on the network, increase their privileges, and to disable security agents on the systems.

In the updated advisory, the agencies share the following tools as being part of the arsenal of AvosLocker ransomware affiliates:

  • Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, Atera Agent remote administration tools for backdoor access
  • Open-source network tunneling utilities: Ligolo, Chisel
  • Adversary emulation frameworks Cobalt Strike and Sliver for command and control
  • Lazagne and Mimikatz for harvesting credentials
  • FileZilla and Rclone for data exfiltration

Additional publicly available tools observed in AvosLocker attacks include Notepad++, RDP Scanner, and 7zip. Legitimate native Windows tools like PsExec and Nltest were also seen.

Another component of AvosLocker attacks is a piece of malware called NetMonitor.exe, which poses as a legitimate process and “has the appearance of a legitimate network monitoring tool.”

However, NetMonitor is a persistence tool that hails from the network every five minutes and acts as a reverse proxy that enables the threat actors to remotely connect to the compromise network.

Using details from the investigation of “an advanced digital forensics group,” the FBI created the YARA rule below to detect NetMonitor malware on a network.

rule NetMonitor 
{
  meta:
    author = "FBI"
    source = "FBI"
    sharing = "TLP:CLEAR"
    status = "RELEASED"
    description = "Yara rule to detect NetMonitor.exe"
    category = "MALWARE"
    creation_date = "2023-05-05"
  strings:
    $rc4key = {11 4b 8c dd 65 74 22 c3}
    $op0 = {c6 [3] 00 00 05 c6 [3] 00 00 07 83 [3] 00 00 05 0f 85 [4] 83 [3] 00 00 01 75 ?? 8b [2] 4c 8d [2] 4c 8d [3] 00 00 48 8d [3] 00 00 48 8d [3] 00 00 48 89 [3] 48 89 ?? e8}
  condition:
    uint16(0) == 0x5A4D
    and filesize < 50000
    and any of them
}

“AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the United States, affecting Windows, Linux, and VMware ESXi environments” - FBI and CISA

Defend against AvosLocker ransomware

CISA and the FBI recommend organizations to implement application control mechanisms to control the execution of software, including allowed programs, as well as prevent running portable versions of unauthorized utilities, especially remote access tools.

Part of the best practices for defending against threat actors are restrictions for using remote desktop services, such as RDP, by limiting the number of login attempts and implementing phishing-resistant multi-factor authentication (MFA).

Applying the principle of least privileges is also part of the recommendations, and organizations should disable command-line, scripting, and the use of PowerShell for users that don’t require them for their job.

Keeping software and code updated to the latest version, using longer passwords, storing them in a hashed format, and salting them if the logins are shared, and segmenting the network, remain the constant recommendations from security experts.

The current cybersecurity advisory adds to the information provided in a previous one released in mid-March, which notes that some AvosLocker ransomware attacks exploited vulnerabilities in on-premise Microsoft Exchange servers.

Related Articles:

CISA: Black Basta ransomware breached over 500 orgs worldwide

CISA: Most critical open source projects not using memory safe code

CISA warns of Windows bug exploited in ransomware attacks

FBI recovers 7,000 LockBit keys, urges ransomware victims to reach out

Lockbit's seized site comes alive to tease new police announcements