Cybereason vs. Avaddon Ransomware

Over the last few months, the Cybereason Nocturnus Team has been tracking the activity of the Avaddon Ransomware. It has been active since June 2020 and is operating with the Ransomware-as-a-Service (RaaS) and double extortion models, targeting sectors such as healthcare. Avaddon is distributed via malspam campaigns, where the victim is being lured to download the malware loader.

key findings

• Classic Luring Technique: To lure the victim, the Avaddon loader is sent as a double extension attachment in phishing emails, tricking the victim into thinking an image of them was leaked online and sent to them.

• Active Threat Group: Since its discovery in June 2020, Avaddon is still an active threat, marking almost a year of activity.

• Hybrid Encryption: Avaddon uses a popular hybrid encryption technique by combining AES and RSA keys, typical to other modern ransomware.

• Double Extortion: Joining the popular double extortion trend, Avaddon has their own “leaks website” where they will publish exfiltrated data of their victims if the ransom demand is not satisfied.

• Use of Windows Tools: Various legitimate Windows tools are used to delete system backups and shadow copies prior to encryption of the targeted machine.

• Detected and Prevented: The Cybereason Defense Platform fully detects and prevents the Avaddon ransomware.

 

 

 

Background

The Avaddon Ransomware was discovered in June 2020, and remains a prominent threat ever since. Their first infection vector was spreading phishing emails that were luring victims with a supposedly image of them, sending it as an email attachment. This in fact was a double extension JavaScript downloader that downloads and executes the Avaddon Ransomware:

avaddon omage 1

Avaddon phishing email

The ransomware is written in C++ and can be recognized by the ".avdn" extension that appends to the encrypted files in certain versions. Avaddon uses a hybrid encryption method, similar to other modern Ransomware, using AES256 and RSA2048 encryption keys.

Avaddon follows the popular double extortion technique by threatening to expose their victims' data on a dedicated “leaks website” where they also post fragments of the stolen data as leverage to force payment of the ransom demand. As of early April, 2021, the leaks website is live with multiple targets being extorted for payment:

avaddon image 2Avaddon leaks website

The Avaddon gang also recruits affiliates in hacking forums, similar to other known ransomware operators groups. In November 2020, Avaddon was reportedly delivered as a payload in Phorpiex Botnet spam campaigns. Phorpiex was revealed in 2010 and reached one million infected users in its prime, being one of the oldest botnets on the market known to have previously distributed other ransomware variants. In 2021, Avaddon added extra leverage to make their victims pay by using DDoS attacks.

JavaScript Downloader and Avaddon Analysis

The JavaScript downloaders are fairly simple and include the use of two built-in Microsoft tools, PowerShell and BITS, to download the ransomware payload from the C2 server and execute it:

avaddon image 3Avaddon download script

Avaddon samples are generally not packed, and their main initial obfuscation technique is base 64 encoded strings. In order to reveal the plaintext strings, a XOR operation is performed after decoding the base64 string, adding 10 to each character, then XORed once again:

avaddon image 4String decryption loop

After decryption, the following strings are revealed which include commands that are executed to delete shadow copies and backups, as well as important system paths to include/exclude while encrypting the system, the malware’s mutex name etc.:

Global\{8ACC12C0-4D9B-4F77-A47C-3592E699B86F}

ROOT\CIMV2

Create

Win32_Process

CommandLine

wmic SHADOWCOPY DELETE /nointeractive

wbadmin DELETE SYSTEMSTATEBACKUP

wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0

vssadmin Delete Shadows /All /Quiet

bcdedit /set {default} recoveryenabled No

bcdedit /set {default} bootstatuspolicy ignoreallfailures

SYSTEMDRIVE

PROGRAMFILES(x86)

USERPROFILE

ProgramData

Program Files

ALLUSERSPROFILE

AppData

PUBLIC

TMP

Tor Browser

MSOCache

EFI

\Windows

\WINDOWS

\Program Files

\Users\All Users

\AppData

\Microsoft\Windows

\Program Files\Microsoft\Exchange Server

\Program Files (x86)\Microsoft\Exchange Server

\Program Files\Microsoft SQL Server

\Program Files (x86)\Microsoft SQL Server

\Program Files\mysql

\Program Files (x86)\mysql

Decrypted strings list

When executed with Cybereason Anti-Ransomware prevention turned off, the the following execution of the Avaddon Ransomware along with child processes can be observed using the Cybereason Defense Platform:

avaddon image 5

As seen in the Cybereason Defense Platform with Anti-Ransomware disabled

Avaddon itself has various anti debugging techniques, including checking for the system locale using a library function in this variant, but also listing analysis and VM-related tools that might interfere with its execution and reveal file extensions of interest. This info is also hidden and decrypted using a slightly different algorithm:

avaddon image 6Second strings decryption method

Below is a table of the decrypted strings. In addition, the ransomware note is also being decrypted in the same way:

Decrypted strings

Functionality

.exe,.bin,.sys,.ini,.dll,.lnk,.dat,.exe,.drv,.rdp,.prf,.swp

Excluded extensions for encryption

.mdf,.mds,.sql

Extensions to encrypt

sqlservr.exe,sqlmangr.exe,RAgui.exe,QBCFMonitorService.exe,supervise.exe,fdhost.exe,Culture.exe,RTVscan.exe,Defwatch.exe,wxServerView.exe,sqlbrowser.exe,winword.exe,GDscan.exe,QBW32.exe,QBDBMgr.exe,qbupdate.exe,axlbridge.exe,360se.exe,360doctor.exe,QBIDPService.exe,wxServer.exe,httpd.exe,fdlauncher.exe,MsDtSrvr.exe,tomcat6.exe,java.exe,wdswfsafe.exe


DefWatch,ccEvtMgr,ccSetMgr,SavRoam,dbsrv12,sqlservr,sqlagent,Intuit.QuickBooks.FCS,dbeng8,sqladhlp,QBIDPService,Culserver,RTVscan,vmware-usbarbitator64,vmware-converter,VMAuthdService,VMnetDHCP,VMUSBArbService,VMwareHostd,sqlbrowser,SQLADHLP,sqlwriter,msmdsrv,tomcat6,QBCFMonitorService

Processes to terminate

 

Second method decrypted strings

For encryption, this variant uses the known hybrid encryption routine combining hardcoded AES and RSA keys:

avaddon image 7

avaddon image 8Avaddon AES and RSA encryption keys

Once the files are encrypted, for example, a Python installation path might look something like the following, while it can be seen that executable extensions were ignored and not encrypted:

avaddon 9Python installation folder encrypted by Avaddon

The ransom note content directs the victim to the Tor payment website:

avaddon 10Avaddon ransom note

Finally, when browsing to the website mentioned in the ransom note, the victim can enter their unique ID and get the Bitcoin wallet and instruction of payment:

avaddon 11Avaddon website for victim registration

Cybereason Detection and Prevention

The Cybereason Defense Platform detects the Avaddon executable with the Windows utilities that are executed and triggers a Malop™ for it:

avaddon 12

When the Cybereason Anti-Ransomware prevention feature is enabled, the execution of the Avaddon samples are prevented using the AI module:

avaddon 13

 

avaddon 14 rightavaddon 14 left

 

 

 

Cybereason Defense Platform Detecting Avaddon

 

Security Recommendations

• Enable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware protection mode to Prevent - more information for customers can be found here

• Enable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to Prevent and set the detection mode to Moderate and above - more information can be found here

• Keep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities

• Regularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to regain access to your data

• Use Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering, and mail filtering

 

LOOKING FOR THE IOCS? CLICK ON THE CHATBOT DISPLAYED IN LOWER-RIGHT OF YOUR SCREEN.

MITRE ATT&CK BREAKDOWN

Execution

Privilege Escalation

Defense Evasion

Discovery

Collection

Impact

Command and Scripting Interpreter

Application Shimming

Virtualization/Sandbox Evasion

System Time Discovery

Data from Local System

Data Encrypted for Impact

   

Deobfuscate/Decode Files or Information

Security Software Discovery

 

Inhibit System Recovery

   

Obfuscated Files or Information

Virtualization/Sandbox Evasion

   
   

File Deletion

Process Discovery

   
     

Peripheral Device Discovery

   
     

System Network Configuration Discovery

   
     

File and Directory Discovery

   
     

System Information Discovery

   

 

About the Researcher:

Daniel-F-HS-1-1Daniel Frank

Daniel Frank is a senior Malware Researcher at Cybereason. Prior to Cybereason, Frank was a Malware Researcher in F5 Networks and RSA Security. His core roles as a Malware Researcher include researching emerging threats, reverse-engineering malware and developing security-driven code. Frank has a BSc degree in information systems.

Avaddon Ransomware | Indicators of Compromise

SHA1

SHA256

53d84be7b7294895f485c5f30132efa1c60fe06c

c0fc01350ae774f3817d71710d9a6e9adaba441f

1ca9304e86632b147852767c85c57e08bdfc8855

bf9bf0b3242ffb55726d8886480b23fc60b756c2

5d44807a63bdb2fe856458b45f6993845e81cf00

e95f22da699392d175a88a8511028bab7d6cdf64

c95ac053d6f4284e41dfea342bb30aede7b02244

dad6ab33bdfc9ee19611e22addce66169b6fc3ab

379660e6a849317c8c8ee70e4a30d4dd4b64c86e

cdfeeafa3a170196cb6a09b08b9defb5577a265b

359d66e671484c368371422c62f73c18979b49000718eddb36e7b491024c7fb0

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b

c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028

33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e

74be995266568ae18ab3ceae79b210bc14f7fa433eebca23f92d7f82961e2a3f

d0fb16b8c62a08ebebee2962cfd054b72dd70e2493dfe4fb658d7c3786cc6be1

bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac

8b921d2333babce2c668096229f4fb6942bad3c7a1436b9d209ee05432ede990

8a67ddc6e0166cb54eace3c5ca68b75f787d7fea5498310cb7589d7b59e83fd2

f1268afbd586da9d34029476113736c6fefc6c97d21268caafc07b98297a4132

Cybereason Nocturnus
About the Author

Cybereason Nocturnus

The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.

All Posts by Cybereason Nocturnus