Trend Micro discovers AvosLocker can disable antivirus software

AvosLocker ransomware is capable of disabling antivirus software to evade detection, according to Trend Micro.

In a blog post Monday, Trend Micro researchers Christopher Ordonez and Alvin Nieto detailed the relatively novel technique that used a legitimate rootkit in Avast's antivirus offering. Not only did operators behind AvosLocker bypass the security features, but they also scanned for vulnerable Log4Shell endpoints to transfer the callback server to the group's command-and-control server.

In both instances, attackers took advantage of previously disclosed vulnerabilities, a recurring concern for enterprises.

AvosLocker is relatively new to the ransomware threat landscape. Trend Micro, as well as Palo Alto Networks, noted its emergence last year may have filled a void left by the shutdown of REvil. Though the observed tactics aligned with previous AvosLocker activity, one significant aspect of the attack did mark a first for the Trend Micro researchers.

"This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys)," Ordonez and Nieto wrote in the blog.

Ordonez and Nieto suspect the Zoho ManageEngine Active Directory SelfService Plus exploit as the initial attack vector, based on indications that actors used the known vulnerability dubbed CVE-2021-40539. The remote code execution bug was initially disclosed last year by security vendor Synacktiv.

By accessing the AD, threat actors were able to create a new user account to gain administrative access inside the infected system. They used a PowerShell script to download necessary tools such as AnyDesk, which allows for remote access. From there, the researchers observed the PowerShell script disabling the security products by using the legitimate Avast Anti-Rootkit Driver. The driver was integral in terminating any security product processes it discovered.

"Once inside, the continuing trend of abusing legitimate tools and functions to mask malicious activities and actors' presence grows in sophistication. In this case, the attackers were able to study and use Avast's driver as part of their arsenal to disable other vendors' security products," Ordonez and Nieto wrote.

Trend Micro said it notified Avast, which confirmed the vulnerability was found in an "old version of its driver aswArpot.sys," which was fixed in June 2021.

"We also worked closely with Microsoft, so they released a block in the Windows operating system (10 and 11), so the old version of the Avast driver can't be loaded to memory," the blog post said. "The update from Microsoft for the Windows operating system was published in February as an optional update, and in Microsoft's security release in April, so fully updated machines running Windows 10 and 11 are not vulnerable to this kind of attack."

Unfortunately, enterprises struggle to keep pace with updates as highlighted in the report and in recent government alerts. For example, law enforcement agencies from five countries including the U.S. issued a warning last month on the top commonly exploited bugs of 2021. Both Log4Shell and CVE-2021-40539 were listed, as they continue to pose a security risk, and threat actors are taking note.

"Similarly to previously documented malware and ransomware groups, AvosLocker takes advantage of the different vulnerabilities that have yet to be patched to get into organizations' networks," Ordonez and Nieto wrote.