Threat Hunting Content: Avaddon Ransomware Detection

A newcomer to the Ransomware scene, Avaddon Ransomware has been actively spread in spam campaigns since the beginning of the month, and the attackers behind it continue to recruit affiliates in underground forums. During one of the detected campaigns, cybercriminals sent over 300,000 malicious emails using Phorphiex/Trik Botnet. Currently, Avaddon is aimed more at individual users than at organizations, and time will tell how the evolution of this malware will go. Also, until there are no cases where attackers steal data before encrypting files, as the more advanced groups distributing Maze ransomware, DoppelPaymer, Ragnar Locker, and some others do.

Cybercriminals send malicious emails containing only a wink emoji in the body of the email and JavaScript file masquerading as a JPG photo attached. To prevent an inattentive user from suspecting anything, attackers use double extensions (you can read more about this method and detecting attempts to exploit it here and here). The malicious attachment launches both a PowerShell and Bitsadmin command that download the Avaddon ransomware executable and run it. This campaign is reminiscent of the ‘Love Letter’ spam that had distributed Nemty ransomware this February, perhaps it is the same threat actor who fixed previous mistakes and started using double extensions in malicious files. 

Threat hunting rule submitted by Osman Demir enables security solutions to uncover Avaddon ransomware during its installation and the first steps of the attack: https://tdm.socprime.com/tdm/info/yme41l3RvAMR/glX4wXIBQAH5UgbBnIcH/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio 

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Impact

Techniques: Data Encrypted for Impact (T1486)