Avaddon is a new “Ransomware-as-a-Service” (RaaS) malware that uses an affiliate revenue system as part of how this threat group achieves its financial goals. Avaddon is being actively advertised on various cybercriminal forums and has been associated with recent massive email spam campaigns for its distribution. It uses a double-extortion model—they encrypt your files but also threaten to expose them if you don't pay.
Avaddon uses a variety of techniques to obtain Execution and Persistence, but there’s a lot more anatomy in this attack that is even more interesting. That’s because if you are a threat actor using ransomware, once you infect a network and encrypt the data, your code still needs to connect back to your infrastructure:
- To obtain additional assets such as the larger program that does the actual encryption and exfiltration
- To deliver the victim’s data for possible exposure if they don’t pay.
And that provides us with 2 opportunities as defenders:
- Detecting modern ransomware attacks like Avaddon is more than just monitoring endpoint activity and lateral movement (east/west). There are also unavoidable tell-tale signs in north/south traffic between infected systems and Avaddon infrastructure.
- By using known infrastructure (IPs and domains), we can expand our knowledge of the threat group behind Avaddon and what they are up to—identifying more infrastructure to watch for and even identify future attacks.
First, we will show you how the initial Avaddon attack works, including:
- Initial malspam email
- Attached loader, which is a compressed (ZIP) JavaScript file masquerading as a JPG picture using file extension spoofing
- Obfuscation techniques of questionable value where random values are assigned to variables
- Living off the land with PowerShell and BITSadmin
- Redundancy in case one method fails
Then Tim Helming, Security Evangelist from our sponsor DomainTools, will show you how starting with just a domain name, we can move on to exploring infrastructure and wider activities of the group behind Avaddon. We will show you how, as a defender, you can not only lock down against the current threat but against related ones as well.
Because it turns out, like many attackers, the Avaddon group isn’t just a one trick pony. Starting with domains and IP addresses associated with Avaddon, we can research Internet records including domain registration, DNS records, passive DNS data and more, to show that this group is also involved with Predator The Thief, which is an older C++ RAT (Remote Access Trojan) that was for sale on various cybercriminal marketplaces. The capabilities of Predator were Steam account hijacking, dumping of local SQLite of various web browser databases, cookie theft of Google Chrome, Opera and Yandex, as well as other various RAT functionality.
This makes it clear that the threat group behind the widely distributed Avaddon ransomware campaign also deals in other malware related attacks. What you will learn here about domain forensics is equally applicable for a BEC phish, data exfiltration, commodity or specialized malware, etc.
This entire event, including DomainTools’ presentation is technical, fascinating and applicable far beyond just Avaddon.
Please join us for this real training for free session.