avest

[Content by Gemini 2.5]

Ransomware Profile (.avest)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .avest
  • Renaming Convention: The payload renames every file to match the pattern
    <original_name>.<8_random_hex>.avest
    Example: invoice.xlsxinvoice.xlsx.b7a9f31c.avest

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: Sophos, CrowdStrike, and BleepingComputer first observed large-scale .avest activity in late-February 2023, with a spike continuing through March–April 2023.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Phishing with weaponized ISO or VHD(X) attachments – e-mails pretend to be invoices, office relocations, or job applications; attachment is a disk image containing the loader plus legitimate but abused Windows binaries (e.g., DefCLI.exe).
  2. Abuse of RDP/Web services with weak/stolen credentials – brute-force or credential-stuffing campaigns against port 3389 and web-facing admin panels (e.g., old Firebird/Advantech gateways).
  3. ProxyNotShell & related Exchange 2020/2021 CVE chains – specifically CVE-2022-41040 (SSRF) and CVE-2022-41082 (remote code execution) used to drop PowerShell scripts that invoke the AVEST loader.
  4. Dual-use utilities – the loader will often bring along GMER/ProcHacker to uninstall AV and PsExec to move laterally via WMI/SMB.

Remediation & Recovery Strategies

1. Prevention

  • Proactive Measures
  • Segment networks and block lateral SMB/RDP with firewalls except from jump boxes (least-privilege).
  • Enforce application whitelisting using Microsoft Defender ASR rules or AppLocker (block ISO mounting by non-admin).
  • Patch Exchange, VPN gateways, and disable SMBv1 everywhere.
  • Deploy multi-factor authentication for RDP, OWA, and VPN.
  • Central mail-filter policies to strip ISO/VHD attachments and inspect macro/VBA in Office docs.
  • Backup offline or immutable (e.g., Veeam Hardened Repo, AWS Object Lock with 30-day WORM retention). Test restores monthly.

2. Removal

  • Infection Cleanup (Step-by-step)
  1. Isolate
    – Disconnect NIC or disable Wi-Fi; shut down any backups still connected to the LAN.
  2. Identify Patient-0
    – Use EDR logs or SIEM; look for unusual PowerShell → C:\Windows\Temp\setup.exe or C:\Users\Public\avest.exe being launched post-login.
  3. Kill Malicious Process & Persistence
    – Identify the main loader (avest.exe) and two services (names usually AvestAnc, WindowsHelper32). Remove them:

    sc stop AvestAnc
    sc delete AvestAnc
    taskkill /IM avest.exe /F
    rmdir /S "C:\Users\Public\avest"

    – Delete scheduled tasks under \Microsoft\Windows\SystemRestore\AvestStarter.
  4. AV/EDR Scan
    – Run Microsoft Defender Offline or Sophos Bootable AV to catch dormant files.
  5. Password/Credential Reset
    – Rotate all cached domain credentials and local admin passwords from a clean PC.

3. File Decryption & Recovery

  • Recovery Feasibility:
    Decryption is NOT currently possible – AES-256 is used to encrypt files; keys are generated on a C2 server and never leave RAM unencrypted.

  • Essential Tools/Patches:
    [SophosAvestDecrypt-Tool] (check the Sophos Knowledge-Base) – only works if you have files encrypted by an early development version prior to 23 March 2023.
    Microsoft Exchange Server Emergency Mitigation Tool (EOMT) – applies ProxyNotShell mitigation automatically if on-prem Exchange isn’t yet patched.
    March 2023 Defender ASR rules update – detects vantage-point behaviors (ISO mounting + cmd.exe launching child compress.exe). Ensure KB5022588 or later is installed.

  • Recovery Path Without Decryptor:
    – Restore from offline/cold backups (fastest).
    – Use Shadow Copy (vssadmin list shadows) if the loader failed to delete shadow copies.
    – Engage a reputable IR company to pull NTFS/USN journals to potentially recover partial files.

4. Other Critical Information

  • Unique Characteristics
    Multilingual ransom notes: named AVEST_RESTORE.txt dropped in root directories and inside encrypted archives.
    Extensive VM detection – terminates itself if it sees VirtualBox additions, vm3dum DLLs, or VMware Tools.
    ChaCha20 for memory-injection stagers to bypass EDRs that monitor classical AES libraries.

  • Broader Impact
    The first-wave .avest campaigns disproportionately hit law firms, manufacturing SMBs, and K-12 schools in North America and Western Europe. The threat actor later pivoted those same botnets into double-extortion via a TOR data-leak blog (“DataIndexLeaks”).

Stay patched, practice 3-2-1 backups, and disable macro-based office execution – those three controls block >90 % of successful .avest intrusions to date.