BlackBerry Ltd.
BlackBerry Ltd.
06/03/2021 | News release | Distributed by Public on 06/02/2021 23:15
Threat Thursday: Avaddon Ransomware Uses DDoS Attacks as Triple Threat
Threat Thursday: Avaddon Ransomware Uses DDoS Attacks as Triple Threat
Summary
The Avaddon ransomware variant first appeared in early 2020 and made international headlines due to recent attacks against Australian organizations and Asia-based cyber insurance company AXA. Both the Federal Bureau of Investigations (FBI) and the Australian Cyber Security Center (ACSC) have released warnings regarding an ongoing attack by this malware family.
Avaddon is distributed as a Ransomware as a Service (RaaS) for use in targeted attacks. The infection vector of Avaddon is phishing emails.
Like DarkSide and REvil ransomware, Avaddon also uses a double extortion scheme where data is both encrypted locally and exfiltrated before the ransom demand is made. If the victim refuses to pay, their data is published to a site located on the dark web at avaddongun7rngel[dot]onion.
Avaddon, however, goes one step further. To further 'encourage' victims to pay the ransom, attackers also subject them to a third threat - a Distributed Denial of Service (DDoS) attack - until the ransom is paid.
Visiting the dark web site, the current victims can be seen under 'new companies' that Avaddon has infected. For example, they claim to have 3 TB of data from AXA, which is notably large compared to other victims. They also allege that some of the data making up this 3TB contains customer medical reports, customer claims, payments to customers, customer ID's, customer scanned bank account papers, hospitals and doctors reserved material, and more. The Avaddon gang have also attached a proof of stolen data screenshot for each affected victim.
Operating System
Risk & Impact
Technical Analysis
Avaddon ransomware masquerades as Microsoft® host process for Windows tasks called 'taskhost.exe'.
This is a common method for malware writers to trick unwitting users into believing that the file is a trusted and legitimate Microsoft file:
Figure 1: Fake 'taskhost.exe' file information.
Avaddon samples are not packed, but some of the strings are obfuscated to hinder static detection and analysis:
Figure 2: Obfuscated strings.
To de-obfuscate the strings, several steps must occur: a base64 decode must first be performed, followed by a XOR operation using a key in hexadecimal, then addition with a key in hex, and then a final XOR operation with a key in hex. The hex values required vary from sample to sample. It has also been observed that some Avaddon samples perform subtraction instead of addition:
Figure 3: String decryption.
For example, upon de-obfuscation of those strings, a string 'KD4yPHkMERoFEAgcEAkCeQUGHQb1BnlwPzAyPxUmKzo8FTIXJg==' decodes to 'wmic SHADOWCOPY DELETE /nointeractive'.
The full list of de-obfuscated strings can be found in Appendix A.
Figure 4: Obfuscated string.
Figure 5: De-obfuscated string.
Upon execution, Avaddon creates a copy of itself in the 'C:\Users\%user name%\AppData\Roaming\Microsoft\Windows' folder. The copied file is then used to create a scheduled task called 'update' to maintain persistence:
Figure 6: Scheduled task called 'update'.
This threat also modifies the registry keys to bypass User Account Control (UAC). It also escalates privileges to obtain access to mapped network drives by setting the registry values of EnableLUA and ConsentPromtBehaviorAdmin to 0 and EnableLinkedConnections to 1:
Figure 7: Modified registry keys.
Avaddon then deletes shadow copies using the following commands:
wmic.exe:
- wmic SHADOWCOPY DELETE /nointeractive
vssadmin.exe:
- vssadmin Delete Shadows /All /Quiet
The malware also deletes system backups using the following commands, to ensure the victim can't easily restore the encrypted files:
wbadmin.exe:
- wbadmin DELETE SYSTEMSTATEBACKUP
- wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
- wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
bcdedit.exe:
- bcdedit /set {default} recoveryenabled No
- bcdedit.exe -> bcdedit /set {default} bootstatuspolicy ignoreallfailures
Avaddon will begin enumerating the infected system, ignoring certain locations to avoid encrypting files there. Those locations are the following:
- C:\$Recycle.Bin
- C:\Program Files
- C:\Program Files (x86)
- C:\ProgramData
- C:\Users\All Users
- C:\Users\%username%\AppData
- Folders containing the name 'Tor Browser'
Avaddon will look in the 'Program Files' and 'Program Files (x86)' folders for the presence of Microsoft Exchange Server, Microsoft SQL Server, and MySQL. If those directories can be found, Avaddon will start encrypting the affected file types and append them with a '.beDBDdeCd' file extension.
The appended file extension varies from sample to sample, but it typically follows a pattern of 9-10 lower/upper case letters [a-eA-E]{9,10}. In earlier versions of Avaddon, the appended file extension was '.avdn':
Figure 8: Encrypted files.
This threat drops a ransom note titled 'jpNx9_readme_.txt' in each affected directory. The random lower-and-upper-case letters and numbers used for naming the readme text file also vary from sample to sample.
The ransom note informs the infected user that all documents, photos, databases, and other file of importance have been encrypted:
Figure 9: Avaddon ransom note.
To access the Avaddon's dark web page, the victim is required to download a Tor browser and navigate to the attacker's dark web site to input the key. This key can be found in the ransom note:
Figure 10: Avaddon URL for key input.
The ransom note alerts the victim that many files have been downloaded by the threat actor. They then have three days to get in contact with the Avaddon group, otherwise the sensitive data will be published on the attacker's dark web site at avaddongun7rngel[dot]onion.
Figure 11: Avaddon victims (company names obscured for privacy).
To ensure that the ransom is paid in a timely fashion, Avaddon DDoSes the victim's website, rendering it unusable and inaccessible. The page also contains a list of all new companies that have become Avaddon's latest victims. Attackers also publish some screenshots of the material that has been stolen from each victim. For example, the screenshots may include copies of passports, ID cards, and other private documents.
The 'Full dump' section of the website contains a list of data dumps from victims who have refused to cooperate with the Avaddon gang. Those 'dump' files can be downloaded by anyone who accesses the site. These files are compressed, and no password was required to extract the contents:
Figure 12: unzipped data dump contents.
Yara Rule
The following Yara rule was authored by the BlackBerry Threat Research Team to catch the threat described in this document:
|
rule Mal_Ransom_Win32_Avaddon_2021
//'ext':'
condition: |
Indicators of Compromise (IoCs)
At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill-chain.
By stopping malware at this stage, BlackBerry solutions help organizations increase their resilience. It also helps reduce infrastructure complexity and streamline security management to ensure business, people, and endpoints are secure.
|
File System Actions Created:
Deleted:
Modified:
Mutex:
Processes Created:
Services Terminated:
|
Appendix A
|
base64 decode -> XOR 0x8 -> ADD 0x3 -> XOR 0x54 |
Deobfuscated strings |
|
DBAH9QgaCwYNHjI8KzAsMCcVDQgyPyUwKCwNHBYrKyY/FfcmKywyMD8NCTA9MjwyJiwNDCIsFSY+ |
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
|
Bj86Oz0mHTI/NCYlHDA/PyY8FTIwPyw= |
EnableLinkedConnections |
|
Bj86Oz0mHfYa |
EnableLUA |
|
HDA/LCY/FQkrMD4pFRsmMToXMjArGiU+Mj8= |
ConsentPromptBehaviorAdmin |
|
DAIM9QYeBQsS9wY= |
SYSTEMDRIVE |
|
CQsQGAsaHgcSHQYMcSFhV3I= |
PROGRAMFILES(x86) |
|
9gwGCwkLEAcSHQY= |
USERPROFILE |
|
CSswOCs6PgU6FTo= |
ProgramData |
|
CSswOCs6PnkHMj0mLA== |
Program Files |
|
Gh0d9gwGCwwJCxAHEh0G |
ALLUSERSPROFILE |
|
GikpBToVOg== |
AppData |
|
CfYbHRIc |
PUBLIC |
|
9R4J |
TMP |
|
9TAreRsrMCgsJis= |
Tor Browser |
|
BgcS |
EF |
|
HgwQHDo8MSY= |
MSOCache |
|
DQgyPyUwKCw= |
\Windows |
|
DQkrMDgrOj55BzI9Jiw= |
\Program Files |
|
DfYsJissDRo9PXn2LCYrLA== |
\Users\All Users |
|
DRopKQU6FTo= |
\AppData |
|
DR4yPCswLDAnFQ0IMj8lMCgs |
\Microsoft\Windows |
|
KD4yPHkMERoFEAgcEAkCeQUGHQb1BnlwPzAyPxUmKzo8FTIXJg== |
wmic SHADOWCOPY DELETE /nointeractive |
|
KDs6JT4yP3kFBh0G9QZ5DAIM9QYeDPUa9QYbGhwU9gk= |
wbadmin DELETE SYSTEMSTATEBACKUP |
|
KDs6JT4yP3kFBh0G9QZ5DAIM9QYeDPUa9QYbGhwU9gl5fiUmPSYVJhA9JSYsFQ== |
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest |
|
KDs6JT4yP3kFBh0G9QZ5DAIM9QYeDPUa9QYbGhwU9gl5fjQmJin3JissMjA/LGNp |
wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0 |
|
FywsOiU+Mj95BSY9JhUmeQwxOiUwKCx5cBo9PXlwChYyJhU= |
vssadmin Delete Shadows /All /Quiet |
|
OzwlJiUyFXlwLCYVeSQlJic6Fj0VLnkrJjwwFyYrIiY/Ojs9JiV5HzA= |
bcdedit /set {default} recoveryenabled No |
|
OzwlJiUyFXlwLCYVeSQlJic6Fj0VLnk7MDAVLBU6FRYsKTA9MjwieTI4PzArJjo9PSc6Mj0WKyYs |
bcdedit /set {default} bootstatuspolicy ignoreallfailures |
|
fxcxJQ== |
.vhd |
|
fxcxJSE= |
.vhdx |
|
KTAoJissMSY9PXkFMiw+MBY/FX4FMiw0Ej46OCZ5fhI+OjgmCToVMXk= |
powershell Dismount-DiskImage -ImagePath |
|
KTAoJissMSY9PX8mISY= |
powershell.exe |
|
ACsmOiU+JgB/FSEV |
_readme_.txt |
|
ERAeBgULEvcG |
HOMEDRIVE |
|
ERAeBgka9RE= |
HOMEPATH |
|
BSYsNBUwKQ0= |
Desktop\ |
|
HDA/FSswPXkJOj8mPQ0FJiw0FTAp |
Control Panel\Desktop |
|
CDo9PQk6KSYr |
WallPaper |
|
JCQyJS4u |
{{id}} |
|
JCQmIRUuLg== |
{{ext}} |
|
FiklOhUm |
update |
|
GD0wOzo9DSQaYVdXV2EabH5hB2tpflVqB2x+YmgFan5XaFcbaxoFVxoFB2gu |
Global\{A86668A3-8F20-41F3-97D1-676B2AD6ADF7} |
|
DQkrMDgrOj55BzI9JiwNHjI8KzAsMCcVDQYhPDE6PzgmeQwmKxcmKw== |
\Program Files\Microsoft\Exchange Server |
|
DQkrMDgrOj55BzI9Jix5cSFhV3INHjI8KzAsMCcVDQYhPDE6PzgmeQwmKxcmKw== |
\Program Files (x86)\Microsoft\Exchange Server |
|
DQkrMDgrOj55BzI9JiwNHjI8KzAsMCcVeQwKHXkMJisXJis= |
\Program Files\Microsoft SQL Server |
|
DQkrMDgrOj55BzI9Jix5cSFhV3INHjI8KzAsMCcVeQwKHXkMJisXJis= |
\Program Files (x86)\Microsoft SQL Server |
|
DQkrMDgrOj55BzI9JiwNPiIsKj0= |
\Program Files\mysql |
|
DQkrMDgrOj55BzI9Jix5cSFhV3INPiIsKj0= |
\Program Files (x86)\mysql |
|
CxAQ9Q0cEh73aw== |
ROOT\CIMV2 |
|
CAod |
WQL |
|
DAYdBhz1eXN5BwsQHnkIMj9sawAJJisnBzArPjoVFSYlBToVOgAJJisnCSswPAAJKzA8Jiws |
SELECT * FROM Win32_PerfFormattedData_PerfProc_Process |
|
Hzo+Jg== |
Name |
|
EgUJKzA8Jiws |
IDProcess |
|
CSYrPCY/FQkrMDwmLCwwK/UyPiY= |
PercentProcessorTime |
|
LBc8MTAsFQ== |
svchost |
|
PCwrLCw= |
csrss |
|
LCYrFzI8Jiw= |
services |
|
PSw6LCw= |
lsass |
|
KDI/PTA4MD8= |
winlogon |
|
LCkwMD0sFw== |
spoolsv |
|
JiEpPTArJis= |
explorer |
|
CxY/FTI+JhsrMDQmKw== |
RuntimeBroker |
|
DCIsFSY+ |
System |
|
KTAoJissMSY9PQ== |
powershell |
|
KCw8KzIpFQ== |
wscript |
|
HCsmOhUm |
Create |
|
CDI/bGsACSswPCYsLA== |
Win32_Process |
|
HDA+Pjo/JR0yPyY= |
CommandLine |
|
fiw6JyY= |
-safe |
|
DBAH9QgaCwYNHjI8KzAsMCcVDQgyPyUwKCx5H/UNHBYrKyY/FfcmKywyMD8NCDI/PTA4MD8= |
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
|
JiEpPTArJit/JiEmfQ== |
explorer.exe, |
|
DDEmPT0= |
Shell |
|
OzwlJiUyFXlwLCYVeSw6JyY7MDAVeT8mFSgwKzQ= |
bcdedit /set safeboot network |
|
OzwlJiUyFXlwJSY9JhUmFzo9FiZ5LDonJjswMBU= |
bcdedit /deletevalue safeboot |
BlackBerry Assistance
If you're battling Avaddon ransomware or a similar threat, you've come to the right place, regardless of your existing BlackBerry relationship.
The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.
We have a global consulting team standing by to assist you providing around-the-clock support, where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment
About The BlackBerry Research and Intelligence Team
The BlackBerry Research and Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.
Back