Just a Wink and Smile - the Avaddon Pathway to Doom

The new Avaddon ransomware has come alive in an enormous spam campaign targeting online users with emails containing a wink emoji.

What is happening

The Avaddon ransomware is being propagated via the Phorphiex/Trik botnet. The malspam messages try to entice the recipients into opening a photo, with a wink emoji in the email body. The phishing email contains a zip file that contains a JavaScript file. Once the JavaScript file is launched, the Trik worm, Gozi banking trojan, CryptoNight XMRig cryptocurrency miner, and Gandcrab ransomware are loaded.

Looking into the past

Phorphiex/Trik botnet is one of the few botnets capable of packing a strong payload punch.
  • Trik botnet is at least a decade old and first was dissipated via live chat and USB storage drives.
  • While last year’s campaign contained female names in the phishing email, this year the display names were male.
  • In 2018, 43 million email addresses leaked from the C&C server of the botnet.

Worth noting

  • The monetary demand varies and payment is accepted in bitcoins.
  • Their site contains 24/7 support assistance and ways to obtain bitcoin, along with a QR code and wallet address for payment.
  • The operators are targeting users worldwide, proven by the presence of 9 language options on their site.
  • The related IOCs can be found here.

The bottom line

The threat actors behind Avaddon have posted on Russian hacker forums that they are a Ransomware-as-a-Service (RaaS) program. Following the RaaS rules, the actors will not target the Commonwealth of Independent States. Security experts expect to see a rise in advanced attack tactics and increasing distribution of the ransomware.