[MART] - Daily Diary #502 - LAvosLocker Abusing Avast Driver to Disable AV Protections

CTAS-MAT ctas-mat at appgate.com
Tue May 3 21:32:40 UTC 2022 

Hello,
I hope everyone is doing well!

Below is the entry for today.

05/03/2022 - Diary entry #502

In our Daily Diaries #366, #418, #422, and #429 we covered AvosLocker, one of the many ransomware nowadays operating in the Ransomware-as-a-service business model. This month a new campaign of AvosLocker was found abusing a trusted Avast Driver to attack installed AV solutions.

The abused driver is asWarPot.sys, responsible for Avast Anti-Rootkit solution. In June 2021, Avast disclosed a vulnerability in that driver, allowing other processes to call a function to kill other processes. Although the vulnerability is already fixed, the malware installs the outdated function in the system, and calls the routine passing other AV processes, allowing the malware to disable defenses before deploying the attack.

The malware also abuses other recent vulnerabilities, like Log4Shell (covered in our Daily Diaries #410 and #414) and CVE-2021-40539 (abusing Zoho application to execute HTML files hosted in remote servers). The increase in the malware exploitation toolkit shows the cybercrime group behind AvosLocker is well funded, and we can expect new attacks disclosed using AvosLocker new capabilities. We highly recommend never paying the ransom, as it gives resources for the criminal groups to purchase new exploits, or hire developers and third-party malware-as-a-service to increase their attacks.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Manager, MART
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220503/d379bdec/attachment.htm>

More information about the MART mailing list