October 12, 2023 at 07:46PM
The US government has updated the list of tools used by AvosLocker ransomware affiliates in attacks to include open-source utilities and custom PowerShell and batch scripts. The FBI and CISA have shared a YARA rule for detecting malware disguised as a legitimate network monitoring tool. AvosLocker affiliates use legitimate software and open-source code to compromise and extract data from enterprise networks. The agencies have identified specific tools and utilities used by the ransomware affiliates, including remote administration tools, network tunneling utilities, adversary emulation frameworks, and data exfiltration tools. They also warn of a malware called NetMonitor.exe that poses as a legitimate network monitoring tool. The FBI has created a YARA rule to detect this malware. Organizations are advised to implement application control mechanisms, restrict remote desktop services, apply the principle of least privileges, keep software updated, and segment the network to defend against AvosLocker ransomware attacks.
Key Takeaways from Meeting Notes:
1. The U.S. government has updated the list of tools used by AvosLocker ransomware affiliates in their attacks. The list now includes open-source utilities, custom PowerShell, and batch scripts.
2. AvosLocker ransomware affiliates employ legitimate software and open-source code for remote system administration to compromise and extract data from enterprise networks.
3. The FBI and CISA have released a joint cybersecurity advisory that includes a YARA rule for detecting malware disguised as a legitimate network monitoring tool.
4. AvosLocker ransomware affiliates use various tools as part of their attack arsenal, including Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, Atera Agent remote administration tools, Ligolo and Chisel for network tunneling, Cobalt Strike and Sliver for command and control, Lazagne and Mimikatz for credential harvesting, and FileZilla and Rclone for data exfiltration.
5. Notepad++, RDP Scanner, 7zip, PsExec, and Nltest are additional tools observed in AvosLocker attacks.
6. NetMonitor.exe is a piece of malware used in AvosLocker attacks, which poses as a legitimate network monitoring tool. It acts as a reverse proxy that enables remote connection to compromised networks.
7. The FBI has created a YARA rule to detect NetMonitor malware on a network.
8. AvosLocker ransomware attacks have targeted organizations across multiple critical infrastructure sectors in the United States, affecting Windows, Linux, and VMware ESXi environments.
9. To defend against AvosLocker ransomware, organizations are recommended to implement application control mechanisms, restrict the use of remote desktop services, apply phishing-resistant multi-factor authentication, enforce the principle of least privileges, keep software and code updated, use longer and hashed passwords, and segment the network.
10. The advisory also highlights that some AvosLocker ransomware attacks exploited vulnerabilities in on-premise Microsoft Exchange servers, as previously noted in a mid-March advisory.