My latest blog: Decoding a New JavaScript Malware Campaign!
🔗​ https://www.th3protocol.com/2023/New-JS-Malware-Fake-Invoices

Earlier today researchers from HuntressLabs shared observations about a #AvosLocker case involving RClone. They identified initial access as a javascript file named “Invoice-DocuSign-Mar03-2023.js"

In my blog post I walk through analyzing this JavaScript malware, identifying persistency and decoding C2 traffic!
#IOCs: https://github.com/colincowie/colincowie.github.io/blob/master/assets/iocs/js_avoslocker/file_iocs.csv

🔗​ poc for decoding the C2 traffic:
https://gist.github.com/colincowie/2bb637259c38e1c6da3f2464ec92ed0e

💬​ Authors Note:
Recently I've been feeling a little bit burnt out - this research excited me and provided some internal encouragement 😃

#ThreatIntel #CTI #Malware #Ransomware #JavaScript #VirusTotal​​

AvosLocker looks to be taking a more active stance in purchasing access. They've moved from bidding in single auctions to listing a purchase offer for any valid privileged RDP/VPN/Citrix/RDWeb/Pulse Security access. #ThreatIntelligence #ThreatIntel #CTI #Ransomware #AvosLocker #CTITuesday

AvosLocker looks to be taking a more active stance in purchasing access. They've moved from bidding in single auctions to listing a purchase offer for any valid privileged RDP/VPN/Citrix/RDWeb/Pulse Security access. #ThreatIntelligence #ThreatIntel #CTI #Ransomware #AvosLocker #CTITuesday

After a several week hiatus #AvosLocker has started bidding in auctions held by initial access brokers again. I expect to see new victims posted soon on their blog. #OSINT #ThreatIntel #CTI #ransonware #thrunting

Looks like #AvosLocker has apparently stopped buying up access on darknet forums as of 11/17 and is getting close to the two month mark of no publicly posted victims. Going out with a whimper or rebranding? Only time will tell. #ThreatIntelFeed #ThreatIntel #CTI #ransomware #thrunting

Has anyone else noticed that #AvosLocker hasn't posted to their blog in over 40 days? I wonder if they're rebranding or trying to keep a low profile. They are still posting on certain forums buying up access 👀

ICOs for #AvosLocker ransomware

https://borncity.com/win/2022/03/21/us-behrden-verffentlichen-neue-icos-der-avoslocker-ransomware/

📬 AvosLocker: Nach irrtümlichem Polizeiangriff sorgt Ransomware-Bande für Gratis-Entschlüsselung #Hacking #Malware #AnyDesk #AvosLocker #pancak3 #Polzeiangriff #Ransomware #REvil #SophosLabs https://tarnkappe.info/avoslocker-nach-irrtuemlichen-polzeiangriff-sorgt-ransomware-bande-fuer-gratis-entschluesselung/

📬 AvosLocker: Gigabyte erneut Opfer einer Ransomware-Erpressung #Hacking #AvosLocker #Gigabyte #RansomEXX #RansomwareAngriff #RansomwareErpressung https://tarnkappe.info/avoslocker-gigabyte-erneut-opfer-einer-ransomware-erpressung/