Old Excel Macro Tricks Resurface via the ‘Avaddon’ Ransomware

  • Excel 4.0 macros are getting trendy again, as malicious actors realized they are stealthier than newer macros.
  • Although nearly three decades old, XML macros are still working perfectly on the latest versions of MS Excel.
  • The latest actors to exploit this are Avaddon ransomware groups, and one in particular that targets Italians.

The ‘Avaddon’ ransomware has been very actively distributed in Italy lately, and researchers noticed that it exploits an old Excel 4.0 macros trick. The ransomware infection campaign that is still ongoing involves spamming people with messages of penalties and legal action being taken against their business due to “violations.” This apparently is enough to trigger the fear or curiosity of the recipient, who download the attached file. The thing is, though, the file isn’t a real notice, but a spreadsheet document laced with malicious Excel 4.0 macros that fetch the Avaddon ransomware.

avaddon macros
Source: Bleeping Computer

Excel 4.0 macros are XML based, and they are harder to analyze compared to VBA macros that were rolled out with Excel 5.0 and are used ever since. Thus, actors are using these macros to trick anti-virus systems and bypass protection layers that may be in place. Excel 4.0 was released all the way back in 1992, almost 28 years ago, but its XML macros are still compatible with today’s Excel version and all versions in between. This is precisely why there has been an uptick in the deployment of Excel 4.0 macros by malicious actors lately, not just those who spread ‘Avaddon.’

The Avaddon RaaS is currently recruiting more people to spread its otherwise robust ransomware tool, so numerous different tricks appear each day. Earlier reports presented different social engineering themes like sending emails with subjects like “Your new photo?” or “Do you like my photo?” and the attached JPG is actually a JavaScript downloader. That said, while staying informed about what is going on out there is key to your safety, being vigilant in general would be the best approach with any form of unsolicited communication. Avaddon actors will try out more alleys of infection, especially when their existing methods are exposed.

avaddon-ransom
Source: How to Fix Guide

The Avaddon ransomware family appeared in early June 2020, and it seems to be a tool that was created from scratch in C++. It encrypts user data using AES-256 and RSA-2048, and the ransom demands generally range between $150 and $350, although some may go even higher. If your locked files carry the extension “.avdn,” you’ve been hit by this ransomware strain. At the moment, there are no working decryptors for Avaddon, so the best you can do is sign up for the “Notify Me” on ID Ransomware and get an alert as soon as an unlocking tool becomes available.

REVIEW OVERVIEW

Recent Articles

UK ICO Imposes £16.95 Million Penalty to Marriott for Data Breach Incident

Britain’s data watchdog has discounted the Marriott fine down to about one-fifth of the original.The officer justified the decision by mentioning Marriott’s...

Google Discovers Actively Exploited Zero-Day on Windows 10

Google’s researchers discovered two zero-day bugs, one on Chrome and one on Windows.The Chrome flaw has been patched, but the Windows fix...

9 Best Halloween VPN Deals (2020) – Save up to 85% While Paying as Little as $1.65/Month!

There are many reasons why VPNs have become essential tools in our interaction with the Web. However, the fact is that they come with...