Old Excel Macro Tricks Resurface via the ‘Avaddon’ Ransomware

  • Excel 4.0 macros are getting trendy again, as malicious actors realized they are stealthier than newer macros.
  • Although nearly three decades old, XML macros are still working perfectly on the latest versions of MS Excel.
  • The latest actors to exploit this are Avaddon ransomware groups, and one in particular that targets Italians.

The ‘Avaddon’ ransomware has been very actively distributed in Italy lately, and researchers noticed that it exploits an old Excel 4.0 macros trick. The ransomware infection campaign that is still ongoing involves spamming people with messages of penalties and legal action being taken against their business due to “violations.” This apparently is enough to trigger the fear or curiosity of the recipient, who download the attached file. The thing is, though, the file isn’t a real notice, but a spreadsheet document laced with malicious Excel 4.0 macros that fetch the Avaddon ransomware.

avaddon macros
Source: Bleeping Computer

Excel 4.0 macros are XML based, and they are harder to analyze compared to VBA macros that were rolled out with Excel 5.0 and are used ever since. Thus, actors are using these macros to trick anti-virus systems and bypass protection layers that may be in place. Excel 4.0 was released all the way back in 1992, almost 28 years ago, but its XML macros are still compatible with today’s Excel version and all versions in between. This is precisely why there has been an uptick in the deployment of Excel 4.0 macros by malicious actors lately, not just those who spread ‘Avaddon.’

The Avaddon RaaS is currently recruiting more people to spread its otherwise robust ransomware tool, so numerous different tricks appear each day. Earlier reports presented different social engineering themes like sending emails with subjects like “Your new photo?” or “Do you like my photo?” and the attached JPG is actually a JavaScript downloader. That said, while staying informed about what is going on out there is key to your safety, being vigilant in general would be the best approach with any form of unsolicited communication. Avaddon actors will try out more alleys of infection, especially when their existing methods are exposed.

Source: How to Fix Guide

The Avaddon ransomware family appeared in early June 2020, and it seems to be a tool that was created from scratch in C++. It encrypts user data using AES-256 and RSA-2048, and the ransom demands generally range between $150 and $350, although some may go even higher. If your locked files carry the extension “.avdn,” you’ve been hit by this ransomware strain. At the moment, there are no working decryptors for Avaddon, so the best you can do is sign up for the “Notify Me” on ID Ransomware and get an alert as soon as an unlocking tool becomes available.



How to Watch Rooms We Love Online From Anywhere

A new lovely series focusing on beautiful houses and great interior designers is set to soon premiere, this time with an emphasis...

How to Watch Elizabeth: A Portrait in Parts Online From Anywhere – Stream the Queen Elizabeth II Documentary

Elizabeth: A Portrait in Part(s) is a documentary on the life of Queen Elizabeth II, the longest-lived, longest-reigning British monarch and longest-serving...

How to Watch Shoresy Online From Anywhere: Stream the Letterkenny Spin-Off Series

Shoresy is the foul-mouthed, chirp-serving, mother-loving, fan-favorite character, and this show sees him join a senior AAA hockey team in Sudbury on...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari