Rewterz Threat Alert – Conti Ransomware is Actively Exploiting Microsoft Vulnerabilities
March 4, 2022Rewterz Threat Advisory – Mozilla Firefox, Firefox ESR, Firefox for Android, Focus, Thunderbird Vulnerabilities
March 7, 2022Rewterz Threat Alert – Conti Ransomware is Actively Exploiting Microsoft Vulnerabilities
March 4, 2022Rewterz Threat Advisory – Mozilla Firefox, Firefox ESR, Firefox for Android, Focus, Thunderbird Vulnerabilities
March 7, 2022Severity
High
Analysis Summary
Ransomware-as-a-Service (RaaS), Avaddon, and its recent campaign. It has appeared in the wild as part of a massive spam campaign leveraging the Phorphiex/Trik Botnet for sending emails. Attached to the emails, the bodies of which simply contains a winking smiley face, is a ZIP archive containing a JavaScript file masquerading as a JPG. The JavaScript code is responsible for using both PowerShell and Bitsadmin to download and run an executable file from a remote server. On execution, the ransomware encrypts target files and appends a .avdn extension. An HTML ransom note is dropped on the system directing victims to a TOR site where they can buy a decryptor. The site includes a support chat system, free decryption test, and a help page. Researchers also discovered advertisements in Russian-speaking hacker forums attempting to recruit affiliates into their RaaS program.
Impact
- File Encryption
Indicators of Compromise
Filename
- taskhost[.]exe
MD5
- 3a6551daf5dab06e71c14026ee84fd03
SHA-256
- e73b749260028b1b6957978b54201f289c56743c201b3a6aa1d4743540df23f4
SHA-1
- cbb6763f76a926c2a0721664977fdbc6f205fff5
Remediation
- Search for IOC in your environment.
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the emails/sent by unknown senders.