Excel 4.0 Macro Tricks Still In Use By Avaddon Ransomware

Avaddon uses the old Marco tricks

• Recently, Avaddon ransomware was seen getting distributed via old techniques related to Excel 4.0 macros.
• The campaign was mostly seen targeting very specific users in Italy. It sent out emails with malicious Excel 4.0 macros. One sample message was sent to a small business, pretending to be from the Labor Inspectorate, informing the potential victims about some penalties and possible legal actions due to some work-related violations.
• The Excel 4.0 macros embedded inside the document were capable of downloading the Avaddon ransomware sample directly, without the need of any intermediary downloader.

Other recent attacks

• In June, the Avaddon Ransomware was observed in a massive spam campaign, with 300,000 emails delivered in just a short period, targeting users worldwide.
• At that time, the Phorphiex/Trik Botnet was used for distributing malicious emails, having a malicious JavaScript file masquerading as a JPG photo.

Avaddon open for other affiliates as well

• In this affiliate program, Avaddon operators offered the already developed ransomware and the operation of the TOR payment site. Affiliates were free to distribute the ransomware via spam, compromising networks, or exploit kits.
• Avaddon operators proposed to pay the affiliates 65% of any ransom payments they manage to bring in while keeping 35% share for themselves.