Sophos, a global leader in cybersecurity, revealed on Monday that hackers attempted to bypass security controls using a combination of Windows Safe Mode and AnyDesk remote administration tool.
Windows Safe Mode is an IT support method for resolving IT issues by disabling most security and IT administration tools, while AnyDesk provides continuous remote access.
“Sophos discovered that AvosLocker attackers installed AnyDesk so it worked in Safe Mode, attempted to disable components of security solutions running in Safe Mode, and then ran the ransomware in Safe Mode. This is one such scenario. Builds where attackers have full remote control over each machine they set up with AnyDesk, while locking down the target organization from remote access to those computers, Peter McKenzie, director of incident response at Sophos, said in a statement. Of course, Sophos has never seen some of these components used with ransomware, and certainly not together.
According to Sophos, AvosLocker is a relatively new ransomware-as-a-service that first appeared in late June 2021 and is growing in popularity. The Sophos Rapid Response team has so far observed AvosLocker attacks targeting Windows and Linux systems in the US, Middle East and Asia-Pacific.
Sophos researchers investigating ransomware deployments found that main sequences using PDQ Deploy to run and execute batch scripts called “love.bat,” “update.bat,” or “lock.bat” on target machines. Begins with the attackers. The script issues and continuously applies a series of commands that prepare the machines for the release of the ransomware and then reboots into Safe Mode.
The command sequence takes about five seconds to execute and includes disabling Windows Update services and Windows Defender and then attempting to disable components of commercial security software solutions that can run in Safe Mode.
Installing the legitimate remote administration tool AnyDesk and setting it up to run in Safe Mode while connected to the network, ensuring continuous command and control by the attacker, and finally setting up a new account with auto login details and then setting up a new account with the target’s login details. Connecting Remotely to a Domain Controller Access and run the ransomware executable, called update.exe
“The techniques used by AvosLocker are simple, but very clever. They ensure that the ransomware has the best chance of running in safe mode and allows attackers to maintain remote access to machines throughout the attack. ,” said Mackenzie.