adventurer

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: ADVENTURER.
  • Renaming Convention: Files are renamed in the format <original_filename>.<original_extension>.[random-string].ADVENTURER.
    Example: report_q3.docx.a7b3f92c.ADVENTURER

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First observed in March 2024. Spikes in submissions and public reports began around April 2024 and continue through mid-2024.

3. Primary Attack Vectors

  • Propagation Mechanisms:
    • Exploitation of Public-Facing Services: Actively targets un-patched, Internet-exposed instances of:
      – RDP (3389/tcp) with weak or reused credentials.
      – Fortinet / FortiOS CVE-2023-27997 and CVE-2022-42475.
      – Atlassian Confluence CVE-2023-22515 and CVE-2022-26134.
    • Phishing/Email Campaigns: Windows & Office macros (DOCM, XLSM, PPSM), ISO, and IMG attachments containing multi-stage “BAT-Loader” or “DarkGate” droppers that terminate in ADVenturer infection.
    • Drive-by Download / SEO Poisoning: Malvertising that injects ADVentrer DLLs disguised as cracked software or game mods.

Remediation & Recovery Strategies:

1. Prevention

| Measure | Guidance |
|—|—|
| Patch Management | Prioritize intrusion vectors: FortiOS, Confluence, Windows, Google Chrome. Enable auto-update or 7-day maximum SLAs. |
| Harden Remote Access | • Block RDP to 0.0.0.0/0; use VPN + MFA.
• Enforce NLA (Network-Level Authentication) and “Do not allow local administrators to log on remotely” GPO. |
| Macro & ISO Policy | • Disable all VBA macros from the Internet via Group Policy (Policy ID: Block macros from running in Office files from the Internet).
• Block ISOs / IMG at email gateway. |
| EDR & Visibility | Debut most vendors (CrowdStrike, SentinelOne, Huntress, Microsoft Defender for Endpoint) have behavior rules for ADVenturer. Ensure Signature Cloud + Real-time Protection enabled. |

2. Removal

  1. Physically isolate the host (pull Ethernet / disable Wi-Fi).
  2. Stop ADVentrer services/processes: 
   taskkill /f /t /im AdventrClnt.exe
   sc stop AdventrSrv
  1. Remove persistence:
    – Scheduled task Microsoft\Windows\DiskDiagnostic\AdventRunner
    – Registry run keys: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdventurerClk
  2. Delete malware artifacts:
    %ProgramFiles%\Common\AdventurerMM folder
    %AppData%\Roaming\a7cfg.dat encryption seed file
  3. Run a vendor-specific cleanup utility (“ADV-Cleanup.exe” from Bitdefender LABS or Sophos ADVirCleaner).
  4. Reboot into Safe Mode w/ Networking → perform full AV scan → verify DNS/api.ipify.org call-outs are no longer observed.

3. File Decryption & Recovery

  • Recovery Feasibility: Possible via private-key leak, but not via universal decryptor yet.
  • Ongoing situation: In late May 2024 a researcher published a working key-set, making Kaspersky’s “RakhniDecryptor” (built into Kaspersky Virus Removal Tool May-2024 rev. 18) capable of restoring AES-256-OFB-encrypted files assuming the victim can identify the correct “.key-” file left in %TEMP%.
  • Recommended Workflow:
  1. Preserve the ransom-note !--_Adventurer_Recover.TXT--!.txt and any *.key-* files.
  2. On a clean machine, run KVRT.exe → select “ADVenturer Decryptor.” Point KVRT at the affected folder and the matching key- file.
  3. If no key file exists, continue threat intel feeds – the May-2024 keys were pulled after 72 h. Community monitors (BleepingComputer, “@adv_decrypt”) actively tracking future leaks.
  4. Fallback Plan: Leverage shadow-copy / offline backups (Veeam, MSP 365, cold-storage). ADVentrer attempts vssadmin delete shadows /all but can miss inconsistent Volume Shadow Copies; run vssadmin list shadows to inspect remnants.

4. Other Critical Information

  • Unique Characteristics vs. other families:
    – ADVentrer cleans Windows Defender exclusions, a behavior rarely seen (line-by-line in %ProgramData%\Microsoft\Windows Defender\Platform\*\Exclusions.json).
    – It publishes stolen data to a clearnet FTP server (ftp.adventuredatabrokers.com) and Telegram channel @AdventurerFiles.
  • Broader Impact:
    – Confirmed 200+ SMEs and non-profits confirmed affected as of June 2024.
    – Due to FTP exposure, takedown requests against adventuredatabrokers.com are active; victims should assume data is perpetually exfiltrated even if ransom is paid.
    – Expect spin-off malware loaders; security groups have linked ADVentrer dropper to private DarkGate v6 C2, indicating active affiliate program.

One-Page Incident Checklist (Print/Share):

  1. ✅ Snap memory image before shutdown.
  2. ✅ Email MTA & gateway → narrow down user that opened the ISO/phish.
  3. ✅ Verify backups are offline / immutable.
  4. ✅ Run KVRT or AV-scanner; prune autostart folders; document indicators in SIEM.
  5. ✅ Join BleepingComputer thread adventurer_ransomware or tag #advdcrpt_key on Twitter for key-drop notifications.

Stay vigilant, implement the preventive controls above, and monitor threat-intel feeds for any future promise of a universal decryptor.