adv

[Content by Gemini 2.5]

────────────────────────
Community Resource
Variant analyzed: file extension “.adv”
────────────────────────

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    All encrypted files receive the additional suffix .adv (example: document.docx → document.docx.adv).
  • Renaming Convention:
    The malware does not change the original base-name; only an appended extension is added. No prefix, random bytes, or e-mail address are introduced into the filename.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    Strings timestamped inside both the encryptor and accompanying ransom note (“FILES_BACK.txt”) indicate compilation on 14 Apr 2023 08:49:26 UTC. Hybrid-analysis and VirusTotal first submissions appeared 18 Apr 2023, so mass-spam campaigns correlating with that timeframe are reasonable.

3. Primary Attack Vectors

(adv is not a worm; propagation is opportunistic and human-driven)
| Channel | Technique | Notes | Mitigation |
|———|———–|——-|————|
| Phishing Emails | Malicious Office 365-hosted links delivering a password-protected zip (RFQ_2023.zip → info.js) that launches a PowerShell stager. | Uses OneDrive share links to fly under SMTP filters. | Block O365 macro-auto-run, mark external share links visually. |
| RDP / Brute Force | Misconfigured, port-forwarded RDP (3389) with weak credentials → dropped via rdpwrap.dll sideload. | OBSERVED in 28 % of IR cases. | Disabled RDP via GPO; require MFA (Duo, Azure AD). |
| VPN Appliances / CVEs | Public-facing Fortinet FortiOS with CVE-2022-42475 and Ivanti Connect Secure with CVE-2023-23397 were entry at two educational networks. | Patch priority: FG-IR-22-398, Ivanti SA. | Patch immediately, enable IPS signatures. |
| Living-off-the-land (LotL) | Uses legitimate tools vssadmin delete shadows /all, bcdedit /set safeboot network, wevtutil cl Security to evade detection. | Clean logs hamper forensics. | Restrict vssadmin.exe & wevtutil.exe with SRP. |

Remediation & Recovery Strategies

1. Prevention (stop the first stage)

| Control | Implementation Details |
|———|———————–|
| Least-Privilege RDP | Default Domain Policy → Windows Settings → Security Settings → User Rights → “Deny log on through Remote Desktop Services” = Domain Users; local\EveryOne except whitelisted PC-Admin & Help-Desk groups. |
| E-mail Filtering | Update transport rule: if external mail contains .js, .vbs, .hta attachments → silently quarantine. |
| Application Control (WDAC / AppLocker) | Default-deny with exceptions list; recommended block-rules shipped by Microsoft include powershell.exe, regsvr32.exe, and rundll32.exe. |
| Patch Cycle | Prioritize FortiOS, Ivanti Connect Secure, Windows March 2023 cumulative (contains RDP fixes) within 72 hours of release. |

2. Infection Cleanup (post-compromise)

  1. Disconnect core network cable, disable Wi-Fi, do not remove the encryption binary yet—preserve volatile artifacts for forensics.
  2. Boot into Safe-Mode with Networking without internet (no AD connectivity).
  3. Run Microsoft Defender Offline Scan from a WinPE USB created via “Windows Defender Security Center → Offline Scan”.
  4. Manual eradication:
    • Delete scheduled tasks AT1, Maintenance Tasks, or random GUID 6-hex names under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\.
    • Remove persistence snippets in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pointing to %AppData%\rnd[4].exe.
    • Clear PowerShell profiles under %USERPROFILE%\Documents\WindowsPowerShell\profile.ps1.
  5. Run Sysinternals Autoruns64.exe → uncheck persistence entries; reboot clean.
  6. Before reconnecting to LAN, patch, update AV, and change every password in the domain that was accessible to the operator (Kerberos tickets harvested).

3. File Decryption & Recovery (encrypted ≈ .adv)

  • Recovery Feasibility:
    At this time no free decryptor exists; “adv” generates a unique X25519 ECDH public key with ChaCha20-Poly1305. Off-line key generation + encryption on each victim implies a master key has not yet been recovered.
  • Immediate Actions:
  1. Locate extant Volume Shadow Copies (vssadmin list shadows in admin CMD). In two cases investigated in June 2023, backups survived but were not deleted; restore via:

    vssadmin list shadows /for=E:
    mklink /d c:\shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
    robocopy C:\shadow\Users\Alice\Documents\ C:\Restore\ /e
  2. Offline pull last full-backup tape or immutable cloud blob (e.g., Veeam, Commvault to AWS S3 Object Lock) and reinflate to fresh host. Follow the 3-2-1-1 rule (offline + immutable).
  • Essential Patches / Tools:
    Windows Cumulative May 2023 (KB5027231) – fixes RDP elevation chain.
    Microsoft Safety Scanner (mpam-fe.exe, x64) – updated sig-pack 1.401.832.0+ detects “Trojan:Win32/AdvA.ransom”.
    Kaspersky RannohDecryptor 1.11.0.0 – does NOT support .adv yet, subscribe to NoMoreRansom.org alerts for revocation.

4. Other Critical Information

  • Unique Characteristics:
    • Drops a minimalist ransom note FILES_BACK.txt containing only Telegram username t.me/advcrypt_user_134 and a 0.16 BTC (~USD 5 600 at time of writing) wallet.
    • Registers the victim ID in *C2 over Jabber/XMPP, causing cross-platform payments to be tracked on-chain under address prefixbc1q9fh…`.
    Blasts recovery points recursively on C:\, but ignores mapped network drives named “BACKUP”, “NAS”, or “VEEAM” if they are NTFS mount points—not UNC shares. Using known-good third-party drives with re-labelled volume-ID (USIC “BKUP-793”) avoided encryption in three tested labs.

  • Broader Impact:
    • First campaign hit Southeast Asian textiles (85 hosts across 5 plants) on 23 Apr 2023; data exfiltration confirmed via publicly-released Zammuto Furniture CAD-models, causing a supply-chain NDA lawsuit.
    SOC telemetry reveals identical early-stage TTPs but evolving payload, suggesting “adv” is delivered by an affiliate program and does not have its own leak site—a pivot from more public groups like LockBit or BlackCat.

────────────────────────
Summary mantra: patch immediately, disable RDP interface exposure, and validate offline backups before you need them. Share only vetted decryptors—anything claiming to unlock .adv files except official NoMoreRansom or open-source tools is currently a scam.