Author

Topic: {Warning}: New Avaddon Ransomware relaunch with IMG attachment (Read 571 times)

hero member
Activity: 2632
Merit: 833
This looks like the WannaCry attack. Is crazy to see how the hackers are using this attack as their favorite new attack. Is easy to infect the machines with the malware, and there is nothing we can do because windows will keep installing programs without asking us.

If you want to be safe and secure, then use Linux and navigate on the internet wisely.

It is being there are still non-educate individuals that can easily fall for this trick. They thought that it is interesting to see what the attach image are, click it and then it's too late, they feel victims. I agree that Linux are good, but it is not for everyone. Windows is still number one as far as desktop OS market share around the world.

Just think before you click and be very attentive on every mails coming into your inbox specially from unknown source.
legendary
Activity: 2688
Merit: 3983
Spam through the email is an old scam school, everyone should learn not to click on the links randomly.
I have not read all the data, but I do not think it is easy to close and encrypt all the data from a click of an image, any way you should be careful.

Use e-mail addresses with better filters, and do not publish them publicly.
Do not reply to any unknown e-mails.
legendary
Activity: 3346
Merit: 3125
This looks like the WannaCry attack. Is crazy to see how the hackers are using this attack as their favorite new attack. Is easy to infect the machines with the malware, and there is nothing we can do because windows will keep installing programs without asking us.

If you want to be safe and secure, then use Linux and navigate on the internet wisely.
legendary
Activity: 2576
Merit: 1655


Previous attack uses just a wink smiley face attachment. But this time, the new attack vector is spreading thru emails with IMG.jpg.js.zip format. It is reported that since 300,000 messages have been filter out and growing.

How are you infected (if you extracted the file):

  • launches Windows scripting host to run a command launching PowerShell with the execution policy bypass flag.
  • A file named sava.exe is then downloaded from the IP of 217[.]8[.]117[.]63 into the local temp folder and saved as 5203508738.exe, before it’s executed.

The ransom note:



You will be given then a 7 day window to pay the ransom, $600 via BTC.

Quote
Indicators of Compromise

Main object  "IMG126172.jpg.js"
    sha256    cc4d665c468bcb850baf9baab764bb58e8b0ddcb8a8274b6335db5af86af72fb    
Dropped Executable File
    sha256    05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2    
Malicious IP Connection        217.8.117[.]63

https://appriver.com/resources/blog/june-2020/phorphiextrik-botnet-delivers-avaddon-ransomware



So if you received any suspicious emails specially with this attachments, permanently removed it from you inbox.
Jump to: