Cybersecurity experts have identified a new modular malware framework named Avalon, which employs a sophisticated multi-stage phishing strategy to evade conventional security measures. This framework encompasses a range of functionalities, including credential harvesting, lateral movement, remote access, system recovery disruption, and ransomware deployment. The ransomware component within Avalon is referred to as CrownX.
The attack initiates with a deceptive email that appears to contain a legal document, directing recipients to a password-protected archive hosted on Proton Drive. Instead of attaching malicious content directly, the attackers embed it within an ISO image, reducing the likelihood of detection by email security systems.
Upon interacting with a document-themed Windows Shortcut file (e.g., “Secure Document CA-283505.pdf.lnk”) within the mounted ISO image, a sequence of malicious activities is triggered, culminating in the deployment of Avalon. Specifically, the shortcut executes a command that launches an MSBuild project located in the ISO image. This project then loads an embedded .NET assembly, which interferes with Event Tracing for Windows (ETW) to diminish forensic visibility and downloads the next-stage payload over HTTPS, leading to Avalon’s execution.
Avalon is equipped with an extensive defense evasion subsystem designed to bypass detection mechanisms associated with various security tools, including Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender. This subsystem enables the malware to reduce telemetry, circumvent user-mode monitoring, and adapt its execution based on the defensive controls present on the host system.
The comprehensive feature set of Avalon includes:
- Harvesting credentials, cookies, browsing history, and bookmarks from Chromium-based browsers and Mozilla Firefox.
- Collecting data from cryptocurrency wallet applications such as MetaMask, Phantom, Coinbase Wallet, Exodus, Electrum, Atomic Wallet, Ledger Live, and Bitcoin Core, as well as from communication platforms like Discord, Slack, Teams, and VPN clients like OpenVPN and WireGuard.
- Gathering information on SSH known hosts, saved RDP connections, Wi-Fi profiles, and Group Policy Preferences cpassword artifacts.
- Exfiltrating collected data to a remote server and polling for tasking commands.
- Conducting reconnaissance to identify and prioritize systems that can expand the scope of the compromise.
- Encrypting files related to business operations, software development, engineering, data storage, and virtual infrastructure using the Windows Cryptography API, and delivering a ransom note with payment instructions and deadline timers indicating the time remaining before the ransom amount increases.
- Inhibiting system recovery by terminating the Volume Shadow Copy Service and deleting shadow copies.
- Employing an anti-forensic cleanup subsystem to remove traces of artifacts, complicating incident response efforts.
- Interacting directly with disk structures, potentially damaging partition information, boot records, or other critical areas of the drive, rendering the system unusable.
The integration of CrownX ransomware within Avalon signifies a concerning evolution in malware development, combining multiple attack vectors into a single, cohesive framework. This approach not only enhances the efficiency of cybercriminal operations but also complicates detection and mitigation efforts. Organizations must remain vigilant, adopting comprehensive security measures and educating employees about sophisticated phishing tactics to mitigate the risks posed by such advanced threats.