AvosLocker Ransomware Behavior Examined on Windows & Linux


_AvosLocker is a ransomware group that was identified in 2021, specifically targeting Windows machines. Now a new variant of AvosLocker malware is also targeting Linux environments. In this blog, we examine the behavior of these two AvosLocker Ransomware in detail._ AvosLocker is a relatively new ransomware-as-a-service that was first spotted in late June 2021. The attackers use spam email campaigns as initial infection vectors for the delivery of the ransomware payload. During the encryption, process files are appended with the ".avos" extension. An updated variant appends with the extension ".avos2". Similarly, the Linux version appends with the extension ".avoslinux". After every successful attack, the AvosLocker gang releases the names of their victims on the Dark Leak website hosted on the TOR network and provides exfiltrated data for sale. URL structure: `hxxp://avosxxx…xxx[.]onion` The AvosLocker gang also advertises their latest ransomware variants on the Dark Leak website. URL structure: `hxxp://avosjonxxx…xxx[.]onion` The gang has claimed, “The AvosLocker's latest Windows variant is one of the fastest in the market with highly scalable threading and selective ciphers.” They offer an affiliate program that provides ransomware-as-a-service (RaaS) for potential partners in crime. Recently they have added support for encrypting Linux systems, specifically targeting VMware ESXi virtual machines. This allows the gang to target a wider range of organizations. It also possesses the ability to kill ESXi VMs, making it particularly nasty. According to [deepweb research](<https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/>) by Cyble Research Labs, the Threats Actors of AvosLocker ransomware groups are exploiting Microsoft Exchange Server vulnerabilities using Proxyshell, compromising the victim’s network. CVEs involved in these exploits are CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, and CVE-2021-31207. ### Technical Analysis of AvosLocker Windows Variant #### Command-Line Options The following figure shows a sample of Command-Line Options. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-1-Command-Line-Option.png)Fig. 1: Command Line Option The available options allow for control over items like enabling/disabling SMB brute force, mutex creation, or control over the concurrent number of threads. If no options are given, the malware runs with default options as shown in figure 2, where it ignores encryption of network drives and SMB share. It runs 200 threads concurrently of its file encryption routine. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-2-Execution-with-Default-Parameter.png)Fig. 2: Execution with Default Parameter While execution, the malware console displays detailed information about its progress on the screen (fig. 3). ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-3-Progress-Details.png)Fig. 3: Progress Details Most of the strings in the malware are kept in the XOR encrypted format. The decryption routines are similar, only registers and keys are different (fig. 4). Strings are decrypted just before their use. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-4-Commonly-Used-Decryption-Routine.png)Fig. 4: Commonly Used Decryption Routine Initially, the malware collects the command line options provided while launching the application (fig. 5). ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-5-Get-command-line-Options.png)Fig. 5: Get command-line Options Then it decrypts the mutex name “Cheic0WaZie6zeiy” and checks whether it is already running or not to avoid multiple instances (fig. 6). ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-6-Mutex-Creation.png)Fig. 6: Mutex Creation As shown in figure 7, AvosLocker uses multi-threaded tactics. It calls the below APIs to create multiple instances of worker threads into memory and share file paths among multiple threads. Smartly utilizing the computing power of multi-core CPUs. APIs called: * CreateIoCompletionPort() * PostQueuedCompletionStatus() * GetQueuedCompletionPort() ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-7-Use-of-CreateIoCompletionPort.png)Fig. 7: Use of CreateIoCompletionPort The code creates multiple threads in a loop (fig. 8). The threads are set to the highest priority for encrypting data quickly. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-8-Create-Thread-In-Loop-and-Set-Priority.png)Fig. 8: Create Thread In-Loop and Set Priority AvosLocker ransomware performs a recursive sweep through the file system (fig. 9), searches for attached drives, and enumerates network resources using API WNetOpenEnum() and WnetEnumResource(). ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-9-Search-Network-Share.png)Fig. 9: Search Network Share Before selecting the file for encryption, it checks for file attributes and skips it if “**FILE_ATTRIBUTE_HIDDEN**” or “**FILE_ATTRIBUTE_SYSTEM**” as shown in figure 10. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-10-Check-File-Attribute.png)Fig. 10: Check File Attribute Once the file attribute check is passed, it performs the file extension check. It skips files from encryption if its extension gets matched with one of the extensions shown in figure 11. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-11-Skip-Extension-List.png)Fig. 11: Skip Extension List It also contains the list of files and folders that need to be skipped from the encryption (fig. 12). ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-12-Skip-File-Folder-List.png)Fig. 12: Skip File Folder List AvosLocker uses RSA encryption, and it comes with a fixed hardcoded ID and RSA Public Key of the attacker (fig. 13). ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-13-Hardcoded-Public-Key.png)Fig. 13: Hardcoded Public Key After file encryption using RSA, it uses the ChaCha20 algorithm to encrypt encryption-related information (fig. 14). ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-14-Use-of-ChaCha20.png)Fig. 14: Use of ChaCha20 It appends this encryption-related information (fig. 15) at the end of the file with Base64 encoded format. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-15-Encryption-Related-Information.png)Fig.15: Encryption Related Information Then it appends the "avo2" extension to the file using MoveFileWithprogressW (fig. 16). ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-16-Add-Extension-Using-Movie-File.png)Fig. 16: Add Extension Using Move File As seen in figure 17, it has appended "avos2" extensions. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-17-File-with-Updated-Extension.png)Fig. 17: File with Updated Extension It writes a ransom note (fig. 18) named “GET_YOUR_FILES_BACK.txt” to each encrypted directory before encryption of the file. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-18-Ransom-Note.png)Fig. 18: Ransom Note The ransom note instructs the user to not to shut down the system in case encryption is in progress to avoid file corruption. It asks the victim to visit the onion address with the TOR browser to pay the ransom and to obtain the decryption key to decrypt the application or files. #### AvosLocker Payment System After submitting the "ID" mentioned on the ransom note to AvosLocker's website (fig. 19), the victim will be redirected to the "payment" page. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-19-AvosLockers-Website.png)Fig. 19: AvosLocker's Website If the victim fails to pay the ransom, the attacker then puts the victim’s data up for sale. Figure 20 shows the list of victims (redacted for obvious reasons) mentioned on the site. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-20-List-of-Victims.png)Fig. 20: List of Victims AvosLocker also offers an affiliate program that provides ransomware-as-a-service (RaaS). They provide “helpful” services to clients such as: * Supports Windows, Linux & ESXi. * Affiliate panel * Negotiation panel with push & sound notifications * Assistance in negotiations * Consultations on operations * Automatic builds * Automatic decryption tests * Encryption of network resources * Killing of processes and services with open handles to files * Highly configurable builds * Removal of shadow copies * Data storage * DDoS attacks * Calling services * Diverse network of penetration testers, access brokers and other contacts ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-21-Partnership-Program.png)Fig. 21: Partnership Program ### Technical Analysis of AvosLocker Linux Variant In this case, the AvosLocker malware arrives as an elf file. As shown in figure 22, the analyzed file is x64 based Linux executable file. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-22-FileDetails.png)Fig. 22: File Details It’s a command-line application having some command-line options (fig. 23). ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-23-Command-Line-Options.png)Fig. 23: Command-Line Options The `<Thread count>` parameter as shown above represents the number of threads that can be created to encrypt files simultaneously. It possesses the capability to kill ESXi VMs based on the parameter provided while executing. Upon execution, the malware first collects information about the number of threads that need to be created. Then it checks for string “vmfs” in the file path provided as a command-line argument (fig. 24). ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-24-Checks-for-vmfs.png)Fig. 24: Checks for “vmfs” After that, it also checks for string “ESXi” in the file path provided as a command-line argument (fig. 25). ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-25-Checks-for-ESXi.png)Fig. 25: Checks for “ESXi” If this parameter is found, then it calls a routine to kill the running ESXi virtual machine (fig. 26). ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-26-Code-to-Kill-ESXi-Virtual-Machine.png)Fig. 26: Code to Kill ESXi Virtual Machine The command used for killing the ESXi virtual machine is as shown in figure 27. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-27-CommandToKillRunning_ESXi_Virtual_Machines.png)Fig. 27: Command to Kill Running ESXi Virtual Machine Further, AvosLocker drops a ransom note file (fig. 28) at the targeted directory. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-28_Create_Ransom_Note.png)Fig. 28: Create ransom note After that, it starts creating a list of files that must be encrypted. Before adding a file path to the list, it checks whether it is a regular file or not (fig. 29). Only regular files are added to the encryption list. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-29-Check-File-Info.png)Fig. 29: Checks File Info AvosLocker skips the ransom note file and any files with the extension “avoslinux” from adding into the encryption list (fig. 30). ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-30-Skip-avoslinux-extension-filet.png)Fig. 30: Skip “avoslinux” Extension File Then it calls the mutex lock/unlock API for thread synchronization as shown in figure 31. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-31-Lock-Unlock-Mutex-For-Thread-Synchronization.png)Fig. 31: Lock-Unlock Mutex for Thread Synchronization Based on the number of threads specified, it creates concurrent CPU threads (fig. 32). This helps in encrypting different files simultaneously at a very fast speed. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-32-Create-Threads-In-Loop.png)Fig. 32: Create Threads in Loop AvosLocker’s Linux variant makes use of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for data encryption. File-related information along with the encryption key used might be encrypted and then encoded with base 64 formats. This encoded information is added at the end of each encrypted file (fig. 33). ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-33-File_Related_Info_Adde_At_End.png)Fig. 33: File-related Info added at the end Figure 34 shows the malware appending the extension “.avoslinux” to the encrypted file names. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-34-Files_Encrypted.png)Fig. 34: Append file extension “.avoslinux” after encryption Before starting file encryption, it creates a ransom note named “README_FOR_RESTORE “. The content of this ransom note is shown in figure 35. ![](https://blog.qualys.com/wp-content/uploads/2022/03/Fig-35-RansomNote.png)Fig. 35: Ransom Note The ransom note instructs the victim not to shut down the system in case encryption is in progress to avoid file corruption. It asks the victim to visit the onion address with a TOR browser to pay the ransom and to obtain the decryption key and decryption application. ### Indicators of Compromise (IOCs): Windows: C0A42741EEF72991D9D0EE8B6C0531FC19151457A8B59BDCF7B6373D1FE56E02 Linux: 7C935DCD672C4854495F41008120288E8E1C144089F1F06A23BD0A0F52A544B1 URL: hxxp://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad[.]onion. hxxp://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad[.]onion ### TTP Map: Initial Access| Execution| Defense Evasion| Discovery| Impact ---|---|---|---|--- Phishing (T1566)| User Execution (T1204)| Obfuscated Files or Information (T1027)| System Information Discovery (T1082)| Data Encrypted for Impact (T1486) | | | File and Directory Discovery (T1083)| Inhibit System Recovery (T1490)