Excel 4.0 macros, which were introduced by Microsoft in its MS Office products in the early 1990s, gained good popularity among cyber attackers for its effectiveness in targeting potential victims. Recently, new malware was seen using this trick to target its victims.

Avaddon uses the old Marco tricks

Avaddon ransomware, which was active in the first week of June, is now again found active, bringing along with it the old Microsoft Office macros-based attack techniques.
  • Recently, Avaddon ransomware was seen getting distributed via old techniques related to Excel 4.0 macros.
  • The campaign was mostly seen targeting very specific users in Italy. It sent out emails with malicious Excel 4.0 macros. One sample message was sent to a small business, pretending to be from the Labor Inspectorate, informing the potential victims about some penalties and possible legal actions due to some work-related violations.
  • The Excel 4.0 macros embedded inside the document were capable of downloading the Avaddon ransomware sample directly, without the need of any intermediary downloader.

Other recent attacks

Avaddon Ransomware was first observed at the beginning of June 2020, using a winking smiley face for campaigns targeting victims.
  • In June, the Avaddon Ransomware was observed in a massive spam campaign, with 300,000 emails delivered in just a short period, targeting users worldwide.
  • At that time, the Phorphiex/Trik Botnet was used for distributing malicious emails, having a malicious JavaScript file masquerading as a JPG photo.

Avaddon open for other affiliates as well

At the beginning of June, some advertisements were found promoting Avaddon as a new Ransomware-as-an-Affiliate (RaaS) program, on some Russian-speaking hacker forums
  • In this affiliate program, Avaddon operators offered the already developed ransomware and the operation of the TOR payment site. Affiliates were free to distribute the ransomware via spam, compromising networks, or exploit kits.
  • Avaddon operators proposed to pay the affiliates 65% of any ransom payments they manage to bring in while keeping 35% share for themselves.

Cyware Publisher