Η Microsoft announced yesterday that Avaddon ransomware spread this week through an old technique that came to the fore again. Attacks using this ransomware appear to be more targeted, while relying on malicious Excel 4.0 macros to download it. malware directly to one system.
This is a campaign that has focused on Italy. In particular, this malicious file encryption software appeared in early June, infecting users as part of a massive unwanted messaging campaign. (spam). Malware operators attract partners to spread the ransomware payload.
Microsoft Security Intelligence noted that their latest effort hackers behind this campaign, he had specific goals mainly in Italy, while sending emails to archives containing malicious Excel 4.0 macros.
Such an email found by a malware hunter named JamesWT_MHT, is presented in the form of a notice that is supposed to come from the Labor Inspectorate and is addressed to a small business, wanting to inform it about violations in the workplace during a crisis period, such as for example his current pandemic Mesures COVID-19. Objective of e-mail is supposed to warn their recipients of impending sanctions and possible legal action. Additionally, there is a ZIP file called "Official Notice" in the attachment. The attachment also contains an Excel 4.0 (XML) macro, which is compatible with modern software that uses code VBA.
When running, the macro downloads a sample of Avaddon ransomware directly, without an intermediate downloader. This is a technique recently observed in other malicious file encryption actors. The use of the old macro is effective. The choice of Excel 4.0 macros to spread malware may seem strange, since it was released on Microsoft products Office 28 years ago. However, Avaddon and many other malicious actors have recently started using them.
In the case of Avaddon, this seems to be working as well ID Ransomware website received a large number of submissions from targeted victims. The rise was on June 18, 28 and 30, in line with Micosoft's observations. While this is an old technique, malicious Excel 4.0 macros are becoming increasingly popular in malware campaigns in recent months. This technique has been adopted by many campaigns, including those taking advantage of the COVID-19 pandemic to deceive potential victims.
Released in 1992, Excel 4.0 uses XML-based macros that store functions in BIFF (Binary Interchange File Format) files. Therefore, they are much more difficult to analyze, compared to the VBA macros used by Excel 5.0.
Microsoft has seen an increase in malware email campaigns using the Excel 4.0 macro in recent months, and notes that since April, the team behind the Avaddon ransomware campaign has been using COVID-19 as a "bait" to attract potential victims.