Tuesday, October 27, 12:17
Home security Avaddon ransomware: Attacks through Excel 4.0 macros

Avaddon ransomware: Attacks through Excel 4.0 macros

Η Microsoft announced yesterday that Avaddon ransomware spread this week through an old technique that came to the fore again. Attacks using this ransomware appear to be more targeted, while relying on malicious Excel 4.0 macros to download it. malware directly to one system.

This is a campaign that has focused on Italy. In particular, this malicious file encryption software appeared in early June, infecting users as part of a massive unwanted messaging campaign. (spam). Malware operators attract partners to spread the ransomware payload.

4.0 excel

Microsoft Security Intelligence noted that their latest effort hackers behind this campaign, he had specific goals mainly in Italy, while sending emails to archives containing malicious Excel 4.0 macros.


Such an email found by a malware hunter named JamesWT_MHT, is presented in the form of a notice that is supposed to come from the Labor Inspectorate and is addressed to a small business, wanting to inform it about violations in the workplace during a crisis period, such as for example his current pandemic Mesures COVID-19. Objective of e-mail is supposed to warn their recipients of impending sanctions and possible legal action. Additionally, there is a ZIP file called "Official Notice" in the attachment. The attachment also contains an Excel 4.0 (XML) macro, which is compatible with modern software that uses code VBA.

When running, the macro downloads a sample of Avaddon ransomware directly, without an intermediate downloader. This is a technique recently observed in other malicious file encryption actors. The use of the old macro is effective. The choice of Excel 4.0 macros to spread malware may seem strange, since it was released on Microsoft products Office 28 years ago. However, Avaddon and many other malicious actors have recently started using them.

avaddon ransomware

In the case of Avaddon, this seems to be working as well ID Ransomware website received a large number of submissions from targeted victims. The rise was on June 18, 28 and 30, in line with Micosoft's observations. While this is an old technique, malicious Excel 4.0 macros are becoming increasingly popular in malware campaigns in recent months. This technique has been adopted by many campaigns, including those taking advantage of the COVID-19 pandemic to deceive potential victims.

Released in 1992, Excel 4.0 uses XML-based macros that store functions in BIFF (Binary Interchange File Format) files. Therefore, they are much more difficult to analyze, compared to the VBA macros used by Excel 5.0.

Microsoft has seen an increase in malware email campaigns using the Excel 4.0 macro in recent months, and notes that since April, the team behind the Avaddon ransomware campaign has been using COVID-19 as a "bait" to attract potential victims.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


Hacker steals $ 24 million from cryptocurrency service Harvest Finance

A hacker has stolen "cryptocurrency assets" worth about 24 million dollars from the decentralized financing service (DeFi) Harvest Finance, a web portal ...

Ransomware attack "hit" election database in Georgia, USA!

A ransomware attack hit Georgia, USA earlier this month, affecting a database used to verify ...

Data breach at the Sheriff's office in Hennepin

The Sheriff's Office in Hennepin County suffered data breaches, which resulted in the leak of information to about 1400 people.

Play Store: 21 Android apps with adware found

Google removed 15 Android apps from the Play Store over the weekend, according to a report from ...

The new KashmirBlack botnet has infected hundreds of thousands of websites

The new KashmirBlack botnet is believed to have infected hundreds of thousands of websites since November 2019.

FBI: Supports US Cyber ​​Camp for IT training and cybersecurity

The USSR and the FBI are working together to support the US Cyber ​​Camp. This...

US: Sanctions on a Russian institute for the development of Triton malware!

The US Treasury Department announced at the end of last week sanctions for a Russian research institute, which is allegedly involved ...

How to customize notifications for specific emails in Outlook

Your inbox may be flooded with junk emails. Sometimes, though, you really need to know when a particular message will arrive ...

Biomedical cyber attack: Hackers send phishing emails

Biomedical cyber attack: Hackers send phishing emails A cyber attack is underway that targets corporate users from many companies in Greece, with emails ...

How to control the brightness of your iPhone lens

It is probably no surprise to any iPhone owner that they can use the LED flash on the back of your iPhone as ...