Author: James Barnett
TLP: White
On 9 June, Infoblox detected a malicious spam (malspam) campaign delivering a new “Ransomware-as-a-Service” (RaaS) malware known as Avaddon. It uses an affiliate revenue system where threat actors can sign up as affiliates and start using the ransomware for no initial fee, but in exchange they must give the author a percentage of their profits.1 This makes Avaddon an attractive choice for threat actors who want a no-risk trial for the new malware. Because Avaddon is freely available, its distribution methods may vary significantly depending on the threat actor deploying it.
The Avaddon campaign we observed used a lure referencing an attached photo to entice users to open a malicious ZIP file with a misleading triple file extension.
The subject lines of the emails in this campaign included phrases such as “Is this your photo?” and “Look at this photo!” The body text was a single winking emoticon 😉 similar to a Nemty ransomware campaign we reported on earlier this year.2
The attached ZIP files used names with the pattern IMG<6 random digits> and a .jpg.js.zip file extension. These ZIP files contained JavaScript files with identical names and a .jpg.js file extension, e.g. IMG182198.jpg.js. These double file extensions will make the file appear to be a JPG to victims who have not disabled the default Windows setting for hiding known file extensions.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://twitter.com/china591/status/1270550036049346560/photo/1
- https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–61
