An old Avaddon ransomware spreading technique is making a comeback this week, courtesy of malicious Excel 4.0 macros, Microsoft has warned. Microsoft has confirmed that Avaddon ransomware continues to use malicious Excel macros in campaigns. In these campaigns, attackers target victims by sending malicious Excel attachments over emails. This ransomware campaign primarily targets people in Italy.
Avaddon ransomware makes a comeback
The malicious Excel 4.0 macros act like payload to drop the Avaddon ransomware onto the victim’s computer. Upon execution, the macro downloads the Avaddon ransomware. Avaddon ransomware came to light last month. However, the overall malware delivery process expedited this week with the help of email campaigns.
It’s a relatively old technique employed by several ransomware campaigns where attackers use malicious Excel 4.0 macros. This technique started gaining popularity in malware campaigns only in recent months:
“This week, Avaddon ransomware became the latest malware to use malicious Excel 4.0 macros in campaigns. Emails carrying the malicious Excel attachments were sent to specific targets, primarily in Italy. When run, the malicious macro downloads the Avaddon ransomware,” warned Microsoft.
While an old technique, malicious Excel 4.0 macros started gaining popularity in malware campaigns in recent months. The technique has been adopted by numerous campaigns, including ones that used COVID-19 themed lures. https://t.co/TgJlFc2ucb
— Microsoft Security Intelligence (@MsftSecIntel) July 2, 2020
What is Avaddon Ransomware?
Similar to Trickbot, Avaddon Ransomware is usually a part of massive spam campaigns trying to spread the ransomware by all possible means. In March, hackers were caught using an infected MS-Word document, trying to trick users into installing malware. These campaigns started gaining momentum in the wake of the global pandemic.
A few weeks ago, Microsoft started tracking a ransomware campaign that pushed the legitimate remote access tool (RAT) via email attachments, which contained malicious Excel 4.0 macros. Many such campaigns have so far used a variety of email attachments containing malicious macros.
As Microsoft has explained in the past, malware actors often impersonate believable authorities. This way, they can maximize their potential for delivering RATs. Microsoft has also been witnessing a steady increase in the usage of malicious Excel 4.0 macros in malware and ransomware campaigns for months.
Previously, Microsoft described how Ransomware groups continue to target healthcare, critical services, and show zero respect to critical industries including healthcare.
TIP: You can block Macros from running in Microsoft Office using Group Policy.