[German]Ransomware groups continue to develop new tactics, techniques, and procedures (TTPs) to bypass protections during attacks. On the other hand, protections on endpoints and networks continue to evolve. The Microsoft Detection and Response Team (DART) published a case report the days where it was revealed how attackers use Avast Anti-Rootkit driver to perform elevation of privilege in ransomware attacks.
Advertising
I came across the issue the other day via the following tweet, which the Microsoft Detection and Response Team (DART) disclosed in the article Defenders beware: A case for post-ransomware investigations.
The article describes the findings from a recent ransomware incident. This attack used a number of standard tools and techniques, such as the use of living-off-the-land binaries, to spread its malicious code. To gain persistence on the network, Cobalt Strike software was used with NT AUTHORITY/SYSTEM (local SYSTEM) privileges. This allowed attackers to maintain access to the network after resetting passwords of compromised accounts.
Living-off-the-land means that the attackers misuse binaries that already exist on a system. These can be .exe and .dll files or drivers from Windows or applications that are run by the system with appropriate permissions. If an attacker manages to access these binaries, he can gain their permissions.
Cobalt Strike is a software with flexible features to simulate industrial espionage on one's network, test defensive measures and increase one's computer security. However, it is also commonly used by real attackers such as APT groups or ransomware gangs.
Services and scheduled tasks have the option to run as NT AUTHORITY\System. If malicious code succeeds in gaining access to services or is able to create tasks, this enables its execution with highly privileged access. When analyzing the compromised systems, the Microsoft team found several scheduled tasks and services that were created by the attackers to permanently infiltrate the system. Previously, they had gained access to highly privileged credentials.
Because the attacker created these tasks and services on a domain controller, they were able to easily access domain administrator accounts thanks to local SYSTEM access. By deploying a backdoor on a domain controller, the attacker was able to bypass common recovery measures, such as resetting compromised accounts, to respond to an incident and remain on the network.
Advertising
The attacker used an anti-rootkit driver from Avast to gain appropriate privileges. Unit 42 recently published a blog post about how Cuba ransomware groups used this driver to disable antivirus software before deploying the Cuba ransomware. I had documented a similar case for Defender in the blog post Lockbit attackers abuse Windows Defender to load Cobalt Strike.
In the current case, the attacker installed the driver with the "sc" command, enabling kernel-level permissions. He then started the service with "sc start aswSP-ArPot2". This service was used by the actor to disable victims' antivirus products through kernel permissions. Disabling the antivirus products on the victims' network ensured that the ransomware could spread without quarantining or preventing the malware.
In this blog post, the Microsoft team detailed the step-by-step approach to infiltrate the system and then take root. This incident also showed that an attacker can have a long dwell time on a network before bringing their ransomware to run.
Microsoft recommends proactively looking for behaviors that precede ransomware and hardening the network to prevent impact. For more information on defending against ransomware incidents, click here.
Full statement Avast:
Cuba locker ransomware is abusing a vulnerability in an old version of the Avast Anti-Rootkit Driver aswArPot.sys to evade detection by antivirus solutions. Avast fixed the driver vulnerability in our Avast 21.5 release in June 2021, and worked closely with Microsoft so they were able to release a block in the Windows operating systems 10 and 11, preventing the older version of the Avast driver to be loaded to memory.
To stay protected against this vulnerability, we recommend users update their Windows operating system with the latest security updates from Microsoft, and use a fully updated antivirus program. All consumer and business antivirus versions of Avast and AVG detect and block this Cuba ransomware variant, so our users are protected from this attack vector. Avast and AVG also block the loading of the vulnerable aswarpot driver, without notifying the user, so our technology protects against this type of malware before it can even get started.
Advertising