Home » Archive for: March 2022

AvosLocker

- Posted in Ransomware by

AvosLocker is the name of a type of ransomware and is also the name of the team behind the ransomware and stands out from most other ransomware strains due to their stance as ransomware for hire. The group advertises their services on the darkweb as well as providing pre-packaged solutions for off the shelf purchase. Their services include consultancy services for clients to assist with use of their product, as well as services to customize the ransomware for specific use cases and attack vectors. They also provide for-hire hackers to assist with network reconnaissance and payload deployment. The group charges in bitcoin and are fast becoming a criminal enterprise.

Currently most of the talk about AvosLocker is related to recent targets in against infrastructure. Reports from multiple sources indicate that North America, Europe, Middle East, and Asia-Pacific targets have been attacked, with the most popular attack vector being Microsoft exchange server. Indicators that a machine and/or network has been compromised include the following.

  1. Modified Windows Registry "Run" Registry keys.
  2. Encoded PowerShell scripts
  3. A false PuTTY Secure Copy client tool “pscp.exe”
  4. Rclone
  5. A false AnyDesk appearing (If its not normally used on the network)
  6. A false Advanced IP Scanner
  7. WinLister

The main difficulty with the above forms of attack is often people are unaware of the strange deployment as many updates often add applications of this type without notice. A trend we think should be discouraged in favour of user notice and acceptance. Common Exchange Server vulnerabilities used to breach a target network include the following ProxyShell vulnerabilities:

  • CVE-2021-31207 - Flaw within Mailbox export service, allows for malicious file uploads to the server.
  • CVE-2021-34523 - Flaw within Powershell that allows execution of Powershell commands without access validation
  • CVE-2021-34473 - Utilizes the Autodiscover service to scrape user information
  • CVE-2021-26855 - Allows an unauthorized user admin access to the server

An additional note regarding the attacks themselves is there have been noted cases of victims receiving phone calls from the AvosLocker attacker pressuring the victim org to go to the Avos .onion site to pay the ransom. also text files named GET_YOUR_FILES_BACK.txt are created in every directory of the affected machines leaving a note and the .onion payment site, below is an example of such a message. Note that to access .onion pages requires the use of Tor or similar.

AvosLocker Attention! Your systems have been encrypted, and your confidential documents were downloaded. In order to restore your data, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Thoughts and Recommendations Our recommendations regarding mitigation of this attack is pretty much the standard for preventing ransomware attacks. Harden your organizations network and all devices on it. Enforce social engineering training requirements for all employees. Maintain and enforce a disaster recovery plan, including items such as off site, and offline data backups. also Having a general network security policy is also key, so a security baseline is kept. I would like to emphasize that it appears that since the team behind AvosLocker has made such a well thought out "customer experience", that they may mostly be the hacker for hire types, largely attacking who they are paid to, so if they were paid the correct sum to attack Microsoft, they would, there is no reason to believe that any org is safe so precaution is key.

Gh0stCringe Remote Access Trojan

- Posted in Exploit by

Gh0stCringe is what is referred to as a remote access trojan. remote access trojans are used to remotely take control of a desired target device. The delivery method for this type of malware varies. While there has not yet been a documented infection vector, it is my belief, due to the nature of the targets, , namely SQL and MySQL databases without strong login credentials and weak security, it is only a matter of time before its use is widespread.

When deployed, Gh0stCringe runs its initial program in the background to infect registry keys and obfuscate itself into sqlserver.exe, mysqld.exe, and mysqld-nt.exe. Once the malware has fully infected the machine it can then communicate with a predetermined control node via remote execution to exfiltrate data, act as a keylogger, execute commands, or even remotely install other malware. As an example, reports indicate that Gh0stCringe is being used to install cryptominers onto exploited servers.

Thoughts and recommendations

Gh0stCringe appears to be designed to target low hanging fruit on servers that aren't secured well, or where IT specialists are not well versed in SQL security. Immediate implementation of strong password and prevention of non local access should be implemented. Increased network and equipment security for connected devices to the SQL servers is paramount to preventing various types of attacks on SQL systems.