HomeMalware & ThreatsNew Avalon Malware Framework Enhances CrownX Ransomware Features

New Avalon Malware Framework Enhances CrownX Ransomware Features

Published on

spot_img

Cybersecurity researchers have uncovered a previously unknown modular malware framework known as Avalon, which is spread through a sophisticated multi-stage phishing chain that cleverly circumvents traditional security measures. This groundbreaking discovery highlights the evolving landscape of cybersecurity threats, as Avalon integrates various functionalities such as credential harvesting, lateral movement, remote access, disruption of recovery processes, and ransomware deployment—all encapsulated in a single framework. The ransomware component has been designated CrownX.

The initiation of this cyber attack commences with a meticulously crafted email disguised as a legal document. Recipients are directed to retrieve a password-protected archive hosted on Proton Drive. Blackpoint Cyber researchers Nevan Beal and Sam Decker explained that the malicious content is strategically embedded within an ISO image, rather than being attached directly to the email. This tactic significantly reduces the likelihood of detection at the email level.

For those who engage with the document-themed Windows Shortcut labeled “Secure Document CA-283505.pdf.lnk” contained within the mounted ISO image, a multi-stage malware sequence is set in motion, leading to the full deployment of Avalon. Specifically, the shortcut executes a command that triggers an MSBuild project located within the ISO image, launching a cascade of malicious activities.

The MSBuild project plays a pivotal role as it loads an embedded .NET assembly that interferes with Event Tracing for Windows (ETW), thereby diminishing forensic visibility. Following this, it retrieves a subsequent payload over HTTPS that is instrumental in executing Avalon. The malware framework is equipped with a robust defense evasion subsystem designed to elude detection and incorporates methods aimed at concealing its execution from various security tools, including those from Microsoft Defender, CrowdStrike, Sophos, and Bitdefender.

According to the researchers, Avalon’s capabilities provide a range of avenues to minimize telemetry, bypass user-mode monitoring, and adapt execution based on the defensive measures present on the affected host. The framework is laden with features that empower it to harvest sensitive information, including:

  1. Credential Retrieval: It gathers credentials, cookies, browsing history, and bookmarks from browsers like Chromium-based ones and Mozilla Firefox.
  2. Data Acquisition: It collects information from cryptocurrency wallet applications such as MetaMask and Coinbase Wallet, along with data from apps like Discord, Slack, and OpenVPN.
  3. System Information Capture: It extracts details regarding SSH known hosts, saved RDP connections, Wi-Fi profiles, and Group Policy Preferences.
  4. Remote Exfiltration: It sends acquired data to a command-and-control (C2) server, polling for further instructions.
  5. Reconnaissance: Avalon assesses potential systems to broaden the scope of its compromise.
  6. File Encryption: Utilizing the Windows Cryptography API, it encrypts files vital to business operations and generates a ransom note that specifies payment instructions and deadlines to apply psychological pressure.
  7. System Recovery Prevention: It disrupts recovery mechanisms by terminating the Volume Shadow Copy Service and deleting shadow copies.
  8. Anti-Forensic Measures: The framework employs an anti-forensic cleanup subsystem to obscure traces, complicating incident response efforts.
  9. Disk Interaction: It directly manipulates disk structures, likely to damage partition information and boot records, rendering systems inoperable.

Researchers at Blackpoint Cyber noted that while CrownX represents the final stage of extortion, the damages extend significantly beyond just encryption. Before the ransom note surfaces, the broader capabilities of Avalon already facilitate credential collection, establish C2 communications, create numerous paths for lateral movement, and undermine local recovery options.

In a somewhat alarming trend, Avalon appears to exhibit characteristics of artificial intelligence (AI)-assisted development. This development signifies that multiple components can be assembled with minimal regard for sophisticated techniques or operational security, suggesting that even those with limited technical prowess can create effective malicious tools. Consequently, the presence of advanced capabilities cannot be regarded as a clear marker of a threat actor’s sophistication.

The research findings reflect a broader pattern in the cyber threat landscape. The cyber kill chain demonstrated illustrates how commonplace business lures can evolve into sophisticated, reusable frameworks engineered to harvest credentials and stage multiple follow-on actions from a single compromised endpoint.

Adding to the complexity of the current cybersecurity threat environment, Sysdig has recently reported on what it claims to be the first documented instance of an agentic ransomware infection driven by a large language model (LLM). This operation, identified by the codename JADEPUFFER, gained initial access through a publicly accessible Langflow instance before executing an entirely automated campaign targeting a victim’s production database.

The implications of these findings are profound. As cybersecurity threats continue to evolve, the barriers to entry for malicious actors may diminish, allowing even those with minimal expertise to perpetrate significant threats. This evolving landscape necessitates a proactive and informed response from cybersecurity professionals to safeguard sensitive information and mitigate the risk of future incidents.

Source link

Latest articles

How Agentic AI Reshapes the Modern SOC

The Evolution of Cybersecurity: Embracing Agentic AI in Security Operations Centers In the ever-changing landscape...

Non-Interactive SSH Attacks Surge Post-Login

A recent study utilizing eleven SSH honeypots has illuminated critical insights into the nature...

Fake Google and Cloudflare Verification Pages Distributing StealC, HijackLoader, and NetSupport Malware

Increased Exploitation of ClickFix Social Engineering Campaigns: A Rising Threat Threat actors are currently leveraging...

NCSC Shares Penetration Testing Defense Tips

On July 1, the United Kingdom's National Cyber Security Centre (NCSC) released guidance designed...

More like this

How Agentic AI Reshapes the Modern SOC

The Evolution of Cybersecurity: Embracing Agentic AI in Security Operations Centers In the ever-changing landscape...

Non-Interactive SSH Attacks Surge Post-Login

A recent study utilizing eleven SSH honeypots has illuminated critical insights into the nature...

Fake Google and Cloudflare Verification Pages Distributing StealC, HijackLoader, and NetSupport Malware

Increased Exploitation of ClickFix Social Engineering Campaigns: A Rising Threat Threat actors are currently leveraging...