Author: James Barnett
On 9 June, Infoblox detected a malicious spam (malspam) campaign delivering a new “Ransomware-as-a-Service” (RaaS) malware known as Avaddon. It uses an affiliate revenue system where threat actors can sign up as affiliates and start using the ransomware for no initial fee, but in exchange they must give the author a percentage of their profits.1 This makes Avaddon an attractive choice for threat actors who want a no-risk trial for the new malware. Because Avaddon is freely available, its distribution methods may vary significantly depending on the threat actor deploying it.
The Avaddon campaign we observed used a lure referencing an attached photo to entice users to open a malicious ZIP file with a misleading triple file extension.
The subject lines of the emails in this campaign included phrases such as “Is this your photo?” and “Look at this photo!” The body text was a single winking emoticon 😉 similar to a Nemty ransomware campaign we reported on earlier this year.2
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.