2022-05-11

AvosLocker Infection with Abused Driver

Level: 
Tactical
  |  Source: 
TrendMicro
Share:

AvosLocker Infection with Abused Driver

Industry: N/A | Level: Tactical | Source: TrendMicro

Trend Micro observed a AvosLocker infection chain deployed within the US abusing a legitimate Windows driver for defense evasion and to disable security defenses. Initial access from the attack leveraged a vulnerability in Zoho ManageEngine Service Desk Plus (telemetry didn't identify the exact CVE used) to upload a webshell. Following command and control activity mshta.exe was leveraged to execute the attacker's HTA file spawning a PowerShell script. Discovery activity for system information was executed along with PowerShell downloads of attacker tools including AnyDeskMSI, Mimikatz, Nmap, PDQ deploy, Netscan, and the creation of an administrator account. A legitimate driver, Aswarpot.sys was utilized to disable security products also from a PowerShell script to stop services. Through the attack, the attackers had attempted to copy a number of their tools including Mimikatz and Impacket, however efforts were blocked. NMap was used by the attacker to identify vulnerable Log4j hosts. Lastly, using the deployment tool PDQ, a batch script was launched to multiple hosts on the victim network.

  • Anvilogic Scenario: AvosLocker Infection with Abused Driver
  • Anvilogic Use Cases:
  • Potential Web Shell
  • MSHTA.exe execution
  • Common Reconnaissance Commands
  • Invoke-WebRequest Command
  • MSIExec Install MSI File
  • Create/Add Local/Domain User
  • Service Stop Commands
  • Windows Copy Files
  • Driver as Command Parameter
  • Mimikatz
  • Wscript/Cscript Execution
  • Impacket/Empire's WMIExec

Get trending threats published weekly by the Anvilogic team.

Sign Up Now