Open Hunting - Threat Library

Openhunting Threat Library

Riddle Spider

Riddle Spider, Avaddon Team

(Type: -)

(Cornell University) The commoditization of Malware-as-a-Service (MaaS) allows criminals to obtain financial benefits at a low risk and with little technical background. One such popular product in the underground economy is ransomware. In ransomware attacks, data from infected systems is held hostage (encrypted) until a fee is paid to the criminals. This modus operandi disrupts legitimate businesses, which may become unavailable until the data is restored. A recent blackmailing strategy adopted by criminals is to leak data online from the infected systems if the ransom is not paid. Besides reputational damage, data leakage might produce further economical losses due to fines imposed by data protection laws. Thus, research on prevention and recovery measures to mitigate the impact of such attacks is needed to adapt existing countermeasures to new strains.

[News Analysis] Trends:

Total Trend: 0

Trend Per Year

Trend Per Month

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

3/36

persistence

1/113

privilege escalation

2/96

defense evasion

5/184

credential access

0/63

discovery

5/44

lateral movement

0/22

collection

0/37

command and control

0/39

exfiltration

0/18

impact

3/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1059.007 Command And Scripting Interpreter : Javascript T1106 Native Api T1047 Windows Management Instrumentation	T1547.001 Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder	T1548.002 Abuse Elevation Control Mechanism : Bypass User Account Control T1547.001 Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder	T1548.002 Abuse Elevation Control Mechanism : Bypass User Account Control T1140 Deobfuscate/decode Files Or Information T1562.001 Impair Defenses : Disable Or Modify Tools T1112 Modify Registry T1027 Obfuscated Files Or Information		T1083 File And Directory Discovery T1135 Network Share Discovery T1057 Process Discovery T1614.001 System Location Discovery : System Language Discovery T1016 System Network Configuration Discovery					T1486 Data Encrypted For Impact T1490 Inhibit System Recovery T1489 Service Stop

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

Basic Information (Credit @etda.or.th)

Actor: Riddle Spider

Names: Riddle Spider, Avaddon Team

Country: [Unknown]

Motivation: Financial gain

First-seen: 2020

Description: (Cornell University) The commoditization of Malware-as-a-Service (MaaS) allows criminals to obtain financial benefits at a low risk and with little technical background. One such popular product in the underground economy is ransomware. In ransomware attacks, data from infected systems is held hostage (encrypted) until a fee is paid to the criminals. This modus operandi disrupts legitimate businesses, which may become unavailable until the data is restored. A recent blackmailing strategy adopted by criminals is to leak data online from the infected systems if the ransom is not paid. Besides reputational damage, data leakage might produce further economical losses due to fines imposed by data protection laws. Thus, research on prevention and recovery measures to mitigate the impact of such attacks is needed to adapt existing countermeasures to new strains.

Observed-countries: Australia

Observed-countries: Belgium

Observed-countries: Brazil

Observed-countries: Canada

Observed-countries: China

Observed-countries: Costa Rica

Observed-countries: Czech

Observed-countries: France

Observed-countries: Germany

Observed-countries: India

Observed-countries: Indonesia

Observed-countries: Italy

Observed-countries: Japan

Observed-countries: Jordan

Observed-countries: Peru

Observed-countries: Poland

Observed-countries: Portugal

Observed-countries: Russia

Observed-countries: South Korea

Observed-countries: Spain

Observed-countries: Switzerland

Observed-countries: Thailand

Observed-countries: UAE

Observed-countries: UK

Observed-countries: USA

Observed-countries: Worldwide

Tools: Avaddon

Operations: 2020-06

Operations: New Avaddon Ransomware launches in massive smiley spam campaign https://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/

Operations: 2020-07

Operations: Avaddon ransomware shows that Excel 4.0 macros are still effective https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shows-that-excel-40-macros-are-still-effective/

Operations: 2020-08

Operations: Avaddon ransomware launches data leak site to extort victims https://www.bleepingcomputer.com/news/security/avaddon-ransomware-launches-data-leak-site-to-extort-victims/

Operations: 2021-01

Operations: Another ransomware now uses DDoS attacks to force victims to pay https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/

Operations: 2021-02

Operations: Avaddon ransomware fixes flaw allowing free decryption https://www.bleepingcomputer.com/news/security/avaddon-ransomware-fixes-flaw-allowing-free-decryption/

Operations: 2021-04

Operations: Cyber-attackers hold PN to ransom with major data leak threat https://timesofmalta.com/articles/view/cyber-attackers-hold-pn-to-ransom-with-major-data-leak-threat.865968

Operations: 2021-05

Operations: Insurer AXA hit by ransomware after dropping support for ransom payments https://www.bleepingcomputer.com/news/security/insurer-axa-hit-by-ransomware-after-dropping-support-for-ransom-payments/

Operations: 2021-06

Operations: Avaddon ransomware shuts down and releases decryption keys https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/

Information: https://arxiv.org/abs/2102.04796

Last-card-change: 2021-06-15

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1059.007 COMMAND AND SCRIPTING INTERPRETER : JAVASCRIPT avaddon has been executed through a malicious jscript downloader. T1106 NATIVE API avaddon has used the windows crypto api to generate an aes key. T1047 WINDOWS MANAGEMENT INSTRUMENTATION avaddon uses wmic.exe to delete shadow copies.	T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER avaddon uses registry run keys for persistence.	T1548.002 ABUSE ELEVATION CONTROL MECHANISM : BYPASS USER ACCOUNT CONTROL avaddon bypasses uac using the cmstplua com interface. T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER avaddon uses registry run keys for persistence.	T1548.002 ABUSE ELEVATION CONTROL MECHANISM : BYPASS USER ACCOUNT CONTROL avaddon bypasses uac using the cmstplua com interface. T1140 DEOBFUSCATE/DECODE FILES OR INFORMATION avaddon has decrypted encrypted strings. T1562.001 IMPAIR DEFENSES : DISABLE OR MODIFY TOOLS avaddon looks for and attempts to stop anti-malware solutions. T1112 MODIFY REGISTRY avaddon modifies several registry keys for persistence and uac bypass. T1027 OBFUSCATED FILES OR INFORMATION avaddon has used encrypted strings.		T1083 FILE AND DIRECTORY DISCOVERY avaddon has searched for specific files prior to encryption. T1135 NETWORK SHARE DISCOVERY avaddon has enumerated shared folders and mapped volumes. T1057 PROCESS DISCOVERY avaddon has collected information about running processes. T1614.001 SYSTEM LOCATION DISCOVERY : SYSTEM LANGUAGE DISCOVERY avaddon checks for specific keyboard layouts and os languages to avoid targeting commonwealth of independent states (cis) entities. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY avaddon can collect the external ip address of the victim.					T1486 DATA ENCRYPTED FOR IMPACT avaddon encrypts the victim system using a combination of aes256 and rsa encryption schemes. T1490 INHIBIT SYSTEM RECOVERY avaddon deletes backups and shadow copies using native system tools. T1489 SERVICE STOP avaddon looks for and attempts to stop database processes.