After about five seconds, the adversary has total undetectable, remote control of the targeted host. AvosLocker Ransomware cleverly combines tactics to disable endpoint defenses. Vendors started adding new pattern matching detection data in December 2021 to better recognize AvosLocker-like attacks. A better approach for enterprises is to add a non-detection-based layer of protection to their endpoints to block AvosLocker-like attacks when no detection-data yet exists.
Pattern matching malware detection, whether looking for files or behaviors, cannot always recognize attacks, especially early stages. Noisy activities such as deleting or encrypting numerous files is very recognizable, however. By the time AvosLocker performs such noisy activities, detection tools are already disabled. This is accomplished by getting the targeted Windows endpoints to run in “Safe Mode”. Many endpoint protection tools do not operate in “Safe Mode”.
Before restarting the host into “Safe Mode”, AvosLocker alters registry keys that control whether “Safe Mode” capable endpoint protection tools may run. Nothing can detect what AvosLocker does at this point.
Before triggering “Safe Mode”, AvosLocker installs AnyDesk and disables Windows Updates. AnyDesk is an endpoint management tool. By installing it, adversaries could remotely delete, install, modify, or run just about anything in the host in “Safe Mode”. AvosLocker disables Windows Updates presumably to prevent Microsoft from pushing AvosLocker-specific pattern matching detection data to the compromised host before the adversaries are done. Ransomware professionals sometimes infect and return weeks to months later.
The samples that we have seen all have the attack launching via PDQ Deploy, another endpoint management tool. All of the above could begin via a different manner. To begin with PDQ Deploy, it must either be already installed and its administrative control stolen, or it must be covertly installed. The former requires them to steal admin credentials for the tool. The latter requires that a very considerable compromise already succeeds.
How AppGuard Defeats AvosLocker
The recently observed AvosLocker attacks began with PDQ Deploy. If your organization has not installed this on its endpoints, AppGuard’s default policies would block illegitimate installation, defeating such attacks at the first stage. If it has been legitimately deployed, then the adversaries must compromise your administrative credentials before they can conduct the later stages. As PDQ Deploy is an endpoint management tool that must be allowed by security tools to make very sensitive additions and deletions, enterprises must be vigilant at safeguarding these credentials.
From here on, we’ll look at AvosLocker in a more generalized manner whereby somehow, someway the shell script is downloaded and triggered on a targeted endpoint without PDQ Deploy. If this script starts from user-space or another launch/load restricted folder, then AppGuard would block it. If it somehow starts from someplace else, then AppGuard’s OS utility prohibitions would neutralize the attack. OS utilities are also known as living off the land binaries (LOLbins) among cybersecurity people. AppGuard enforces policies that prevent adversaries from using dangerous LOLbins to do harm. The observed AvosLocker scripts rely entirely on LOLbins. Sometimes AppGuard policy must allow an LOLbin to run to allow legitimate workflows. AppGuard then applies containment controls to restrict the allowed actions of the LOLbin.
The malicious .bat script intended to do the following actions, which AppGuard prevented:
- Alter “Safe Mode” registry keys such that select endpoint protection tools would not operate when host runs in “Safe Mode”
- Disable Windows Defender features
- Disable Windows Updates
- Create new local administrator user account
- Install AnyDesk and trigger it to run when host operates in “Safe Mode”
- Restart host in “Safe Mode”
Detection-based tools must either recognize malicious files or behavior patterns. Some behavior patterns are not recognized until a number of attack stages have been executed. If recognition does not occur soon enough, malware can successfully attack endpoint protection tools. In this case, AvosLocker triggers “Safe Mode” to avoid endpoint protection tools that do not operate in “Safe Mode”. And, for some tools that do, essentially change their “Safe Mode” setting to ‘off’. Thus, once in “Safe Mode”, AvosLocker could do whatever it wants without anything surviving to detect it. Then again, if AppGuard is protecting the same host, AvosLocker cannot do any of the actions leading to that. AppGuard does this without having to recognize anything; it is a controls-based protection enforcing zero trust principles. Adding AppGuard to whatever detection-based tools protect your endpoints substantially improves an endpoints odds of withstanding sophisticated malware attacks.