{
	"id": "4f53de0b-6726-406d-be22-b345dd803234",
	"created_at": "2026-04-06T00:15:01.352504Z",
	"updated_at": "2026-04-10T13:12:16.391912Z",
	"deleted_at": null,
	"sha1_hash": "235a541b7e525eb1a5e7ad090f4ef07590411f0a",
	"title": "AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 193380,
	"plain_text": "AvosLocker Ransomware Variant Using New Trick to Disable\r\nAntivirus Protection\r\nBy The Hacker News\r\nPublished: 2022-05-03 · Archived: 2026-04-05 15:48:46 UTC\r\nCybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus\r\nsolutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. \r\n\"This is the first sample we observed from the U.S. with the capability to disable a defense solution using a\r\nlegitimate Avast Anti-Rootkit Driver file (asWarPot.sys),\" Trend Micro researchers, Christoper Ordonez and Alvin\r\nNieto, said in a Monday analysis.\r\n\"In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability\r\n(Log4shell) using Nmap NSE script.\"\r\nAvosLocker, one of the newer ransomware families to fill the vacuum left by REvil, has been linked to a number\r\nof attacks that targeted critical infrastructure in the U.S., including financial services and government facilities.\r\nA ransomware-as-a-service (RaaS) affiliate-based group first spotted in July 2021, AvosLocker goes beyond\r\ndouble extortion by auctioning data stolen from victims should the targeted entities refuse to pay the ransom.\r\nhttps://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html\r\nPage 1 of 2\n\nOther targeted victims claimed by the ransomware cartel are said to be located in Syria, Saudi Arabia, Germany,\r\nSpain, Belgium, Turkey, the U.A.E., the U.K., Canada, China, and Taiwan, according to an advisory released by\r\nthe U.S. Federal Bureau of Investigation (FBI) in March 2022.\r\nTelemetry data gathered by Trend Micro shows that the food and beverage sector was the most hit industry\r\nbetween July 1, 2021 and February 28, 2022, followed by technology, finance, telecom, and media verticals.\r\nThe entry point for the attack is believed to have been facilitated by leveraging an exploit for a remote code\r\nexecution flaw in Zoho's ManageEngine ADSelfService Plus software (CVE-2021-40539) to run an HTML\r\napplication (HTA) hosted on a remote server.\r\n\"The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the\r\n[command-and-control] server to execute arbitrary commands,\" the researchers explained.\r\nThis includes retrieving an ASPX web shell from the server as well as an installer for the AnyDesk remote\r\ndesktop software, the latter of which is used to deploy additional tools to scan the local network, terminate\r\nsecurity software, and drop the ransomware payload.\r\nSome of the components copied to the infected endpoint are a Nmap script to scan the network for the Log4Shell\r\nremote code execution flaw (CVE-2021-44228) and a mass deployment tool called PDQ to deliver a malicious\r\nbatch script to multiple endpoints. \r\nThe batch script, for its part, is equipped with a wide range of capabilities that allows it to disable Windows\r\nUpdate, Windows Defender, and Windows Error Recovery, in addition to preventing safe boot execution of\r\nsecurity products, creating a new admin account, and launching the ransomware binary.\r\nAlso used is aswArPot.sys, a legitimate Avast anti-rootkit driver, to kill processes associated with different\r\nsecurity solutions by weaponizing a now-fixed vulnerability in the driver the Czech company resolved in June\r\n2021.\r\n\"The decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore\r\noperating at a high privilege),\" the researchers pointed out. \"This variant is also capable of modifying other details\r\nof the installed security solutions, such as disabling the legal notice.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html\r\nhttps://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html"
	],
	"report_names": [
		"avoslocker-ransomware-variant-using-new.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434501,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/235a541b7e525eb1a5e7ad090f4ef07590411f0a.pdf",
		"text": "https://archive.orkl.eu/235a541b7e525eb1a5e7ad090f4ef07590411f0a.txt",
		"img": "https://archive.orkl.eu/235a541b7e525eb1a5e7ad090f4ef07590411f0a.jpg"
	}
}