The new Avaddon ransomware has come alive in an enormous spam campaign targeting online users with emails containing a wink emoji.
What is happening
The Avaddon ransomware is being propagated via the Phorphiex/Trik botnet. The malspam messages try to entice the recipients into opening a photo, with a wink emoji in the email body. The phishing email contains a zip file that contains a JavaScript file. Once the JavaScript file is launched, the Trik worm, Gozi banking trojan, CryptoNight XMRig cryptocurrency miner, and Gandcrab ransomware are loaded.
Looking into the past
Phorphiex/Trik botnet is one of the few botnets capable of packing a strong payload punch.
Trik botnet is at least a decade old and first was dissipated via live chat and USB storage drives.
While last year’s campaign contained female names in the phishing email, this year the display names were male.
In 2018, 43 million email addresses leaked from the C&C server of the botnet.
Worth noting
The monetary demand varies and payment is accepted in bitcoins.
Their site contains 24/7 support assistance and ways to obtain bitcoin, along with a QR code and wallet address for payment.
The operators are targeting users worldwide, proven by the presence of 9 language options on their site.
The threat actors behind Avaddon have posted on Russian hacker forums that they are a Ransomware-as-a-Service (RaaS) program. Following the RaaS rules, the actors will not target the Commonwealth of Independent States. Security experts expect to see a rise in advanced attack tactics and increasing distribution of the ransomware.