The new Avaddon ransomware has come alive in an enormous spam campaign targeting online users with emails containing a wink emoji.
What is happening
The Avaddon ransomware is being propagated via the Phorphiex/Trik botnet. The malspam messages try to entice the recipients into opening a photo, with a wink emoji in the email body. The phishing email contains a zip file that contains a JavaScript file. Once the JavaScript file is launched, the Trik worm, Gozi banking trojan, CryptoNight XMRig cryptocurrency miner, and Gandcrab ransomware are loaded.
Looking into the past
Phorphiex/Trik botnet is one of the few botnets capable of packing a strong payload punch.
- Trik botnet is at least a decade old and first was dissipated via live chat and USB storage drives.
- While last year’s campaign contained female names in the phishing email, this year the display names were male.
- In 2018, 43 million email addresses leaked from the C&C server of the botnet.
Worth noting
- The monetary demand varies and payment is accepted in bitcoins.
- Their site contains 24/7 support assistance and ways to obtain bitcoin, along with a QR code and wallet address for payment.
- The operators are targeting users worldwide, proven by the presence of 9 language options on their site.
- The related IOCs can be found here.
The bottom line
The threat actors behind Avaddon have posted on Russian hacker forums that they are a Ransomware-as-a-Service (RaaS) program. Following the RaaS rules, the actors will not target the Commonwealth of Independent States. Security experts expect to see a rise in advanced attack tactics and increasing distribution of the ransomware.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/31e7_shutterstock_542608048.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/6e2c_shutterstock_668180614.jpg)
