Actualmente, Avaddon es uno de los grupo de ransomware más activos junto a Conti (aka Ryuk), múltiples organizaciones alrededor del mundo han sido vÃctimas de esta amenaza.
Dentro de los TTP’s se conocen dos vectores de entrada principales:
1.- A través de correos phishing con archivos JavaScript como adjunto (en los últimos eventos, el atacante afirma que el adjunto es una foto comprometedora de la vÃctima).
2.- Siendo desplegado en la red interna desde la botnet de Phorpiex (https://www.cronup.com/de-ataque-con-malware-a-incidente-de-ransomware/).
A continuación, entregamos una recopilación de los indicadores de compromiso observados en los últimos ataques de Avaddon, para que puedan ser bloqueados y analizados para la obtención de inteligencia respecto al tipo de infraestructura y TTP’s utilizados por el adversario.
Indicadores de Compromiso
3b575420ceea4203152041be00dc80519d1532b5
a37a3b88a15d31a8951243cd6f3f08149244a67d
a1d6461e833813ccfb77a6929de43ab5383dbb98
7e835d1813f2eaf82c5e38eebf3bfd06ed6513e0
880e40932e56e0aa0b0ad8c413b50fca7d771bbe
f540a1f2fdc0670e1a7a3d55e335e70ebe3089f7
fc12d7ad112ddabfcd8f82f290d84e637a4d62f8
4915feb5b5cccd9e75f0bd4af5e35211353a207e
c0fc01350ae774f3817d71710d9a6e9adaba441f
c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
– https://agileblue.com/wp-content/uploads/2021/05/flash_avaddon_ransomware.pdf
tldrnet[.]top
myphotoload[.]com
hxxp[://]myphotoload[.]com/photo[.]php?id=816832
hxxp[://]myphotoload[.]com/photo[.]php?id=793048
hxxp[://]myphotoload[.]com/photo[.]php?id=561172
hxxp[://]myphotoload[.]com/photo[.]php?id=466485
hxxp[://]myphotoload[.]com/photo[.]php?id=212624
hxxp[://]myphotoload[.]com/photo[.]php?id=177139
hxxp[://]myphotoload[.]com/photo[.]php?id=
hxxp[://]myphotoload[.]com/photo[.]php
185[.]216[.]33[.]0/24
45[.]145[.]67[.]0/23
193[.]27[.]229[.]0/23
217[.]8[.]117[.]63
– https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/
130[.]185[.]250[.]214
154[.]35[.]175[.]225
185[.]215[.]113[.]10
185[.]215[.]113[.]8
185[.]215[.]113[.]93
213[.]32[.]71[.]116
45[.]182[.]189[.]251
45[.]66[.]156[.]175
45[.]66[.]156[.]176
51[.]15[.]42[.]19
62[.]210[.]177[.]189
aeaagegaegeahrh[.]ru
aefiaefidjidghh[.]ru
aefofhhfouahugr[.]ws
aegohaohuoruitiieh[.]co
aegohaohuoruitiiel[.]co
aegohaohuoruitiier[.]su
aegohaohuoruitiieu[.]cc
aegohaohuoruitiiez[.]io
aeguaheoufuhfhu[.]ru
aeifaeifhutuhuhusl[.]co
aeifaeifhutuhuhusr[.]su
aeifaeifhutuhuhusu[.]cc
aeifaeifhutuhuhusz[.]io
aeiziaezieidiebg[.]su
aeoughaoheguaoehdl[.]co
aeoughaoheguaoehdr[.]su
aeoughaoheguaoehdu[.]cc
aeoughaoheguaoehdz[.]io
aeufuaehfiuehfuhfl[.]co
aeufuaehfiuehfuhfr[.]su
aeufuaehfiuehfuhfu[.]cc
aeufuaehfiuehfuhfz[.]io
afaeigaifgsgrhhafd[.]io
afaeigaifgsgrhhafl[.]co
afaeigaifgsgrhhafr[.]su
afaeigaifgsgrhhafu[.]cc
afaeigaifgsgrhhafz[.]io
afaigaeigieufuifil[.]co
afaigaeigieufuifir[.]su
afaigaeigieufuifiu[.]cc
afaigaeigieufuifiz[.]io
afeifieuuufufufuf[.]su
aiiaiafrzrueuedur[.]ru
aoekfoaefoahfoh[.]ru
avdbawudhafiehf[.]ru
awwararuhuedhhf[.]ru
befaheaiudeuhughgh[.]co
befaheaiudeuhughgl[.]co
befaheaiudeuhughgr[.]su
befaheaiudeuhughgu[.]cc
befaheaiudeuhughgz[.]io
bfagzzezgaegzgfaih[.]co
bfagzzezgaegzgfail[.]co
bfagzzezgaegzgfair[.]su
bfagzzezgaegzgfaiu[.]cc
bfagzzezgaegzgfaiz[.]io
daedagheauehfuuhfl[.]co
daedagheauehfuuhfr[.]su
daedagheauehfuuhfu[.]cc
daedagheauehfuuhfz[.]io
eaeuafhuaegfugeudh[.]co
eaeuafhuaegfugeudl[.]co
eaeuafhuaegfugeudr[.]su
eaeuafhuaegfugeudu[.]cc
eaeuafhuaegfugeudz[.]io
eafuebdbedbedggk[.]ws
eafuebdbedbedggr[.]ws
eafueudzefverrgk[.]ws
eafueudzefverrgr[.]ws
eaougheofhuaez[.]top
ebufaehfahefheh[.]ru
efaejfojegohgut[.]ru
efaejfojegohgut[.]su
efeuafubeubaefur[.]ws
efniaenfinefing[.]ru
eguaheoghouughahsl[.]co
eguaheoghouughahsr[.]su
eguaheoghouughahsu[.]cc
eguaheoghouughahsz[.]io
feauhueudughuurk[.]ws
feedmefile[.]top
gaehaejehgaefgz[.]ru
gaghpaheiafhjefijh[.]co
gaghpaheiafhjefijl[.]co
gaghpaheiafhjefijr[.]su
gaghpaheiafhjefiju[.]cc
gaghpaheiafhjefijz[.]io
gaoehuoaoefhuhfugh[.]co
gaoehuoaoefhuhfugl[.]co
gaoehuoaoefhuhfugr[.]su
gaoehuoaoefhuhfugu[.]cc
gaoehuoaoefhuhfugz[.]io
gaoheeuofhefefhutl[.]co
gaoheeuofhefefhutr[.]su
gaoheeuofhefefhutu[.]cc
gaoheeuofhefefhutz[.]io
gaohrhurhuhruhfsdh[.]co
gaohrhurhuhruhfsdl[.]co
gaohrhurhuhruhfsdr[.]su
gaohrhurhuhruhfsdu[.]cc
gaohrhurhuhruhfsdz[.]io
gaouehaehfoaeajrsl[.]co
gaouehaehfoaeajrsr[.]su
gaouehaehfoaeajrsu[.]cc
gaouehaehfoaeajrsz[.]io
gaueudbuwdbuguur[.]ws
geafneiefiefnin[.]ru
geaohgoehagugeh[.]ru
geaohgoehagugeh[.]su
geauhouefheuutiiil[.]co
geauhouefheuutiiir[.]su
geauhouefheuutiiiu[.]cc
geauhouefheuutiiiz[.]io
gotsomefile[.]top
huaeokaefoaeguaehl[.]co
huaeokaefoaeguaehr[.]su
huaeokaefoaeguaehu[.]cc
huaeokaefoaeguaehz[.]io
koekfoaejfoefok[.]ru
loeofaihefihfhg[.]ru
lpiauefhuheufhg[.]ru
mnenneaihfihegi[.]ru
mokaeduegfuaehh[.]ru
ndrxbezrsdgsergdfs[.]co
okdoekeoehghaoer[.]ws
osheoufhusheoghuesd[.]ru
ouhfuosuoosrhfzr[.]su
ploeuahfueugeug[.]ru
plpanaifheaighai[.]su
rohgoruhgsorhugih[.]ru
rubbfibididhiei[.]ru
rzhsudhugugfugugsh[.]co
rzhsudhugugfugugsl[.]co
rzhsudhugugfugugsr[.]su
rzhsudhugugfugugsu[.]cc
rzhsudhugugfugugsz[.]io
sefuhsuifhishffo[.]ru
sefuhsuifhishfy[.]in
seiiamefiaigaefo[.]ru
seuufhehfueugheh[.]ws
seuufhehfueughek[.]ws
seuufhehfueughem[.]top
sisfiusnrsruisfo[.]ru
sisfiusnrsruisy[.]in
sndiuenidniueifo[.]ru
soijodneoiauoefo[.]ru
ssofhoseuegsgrfnj[.]su
thaus[.]ws
tldrbox[.]com
tldrbox[.]top
tldrbox[.]ws
tldrhaus[.]top
tldrzone[.]com
tldrzone[.]top
trik[.]ws
tsrv1[.]com
tsrv1[.]ws
tsrv2[.]top
tsrv2[.]ws
tsrv3[.]ru
tsrv3[.]ws
tsrv4[.]ws
tsrv5[.]top
unokaoeojoejfghr[.]ru
uoaeogauhduadhug[.]su
urusurofhsorhfuuhd[.]io
urusurofhsorhfuuhl[.]co
urusurofhsorhfuuhr[.]su
urusurofhsorhfuuhu[.]cc
urusurofhsorhfuuhz[.]io
vitamind[.]top
w4tw4tw4tw4t4[.]jo
wduufbaueeubffgh[.]ws
wipmania[.]com
worm[.]ws
xmrupdtemall[.]top
zrziqezrizrizzf[.]ru
zrziqezrizrizzf[.]su
zzruuoooshfrohu[.]su
api[.]wipmania[.]com
– https://otx.alienvault.com/pulse/60a514514b198fba0d4c9217 (Avaddon IOC CyberLab – Phorpiex)
e15bfd429b38a183f166c58047d0c58f
d47af41dd4c2cb7eaa5180e93f896e28
cd64b5b643bd5d6ad1bd44905d918cb0
c905e38e0df49a16c9f6c5cec89a22d4
aef0b7f2ffab4f5cc85952c7f459d237
d9bf748a12d05443a0de425532ab09b4
681cf5e7ebe4568d8209476c04d7f5e3
ba53484d6102d7086d29714007841d70
9a4f12483e9a01152db3ca5fb6f84859
891c6d64814c87bc5e8a16892154d5ac
c19084114c85192dacfed89a92da6837
b8e76ddb52d0eb41e972599ff3ca431b
535efb74a9399b45be6aa313efae48de
350521f299692dbee4591f85f19143c4
3396e6d3a870af6b4e5f1edde6f03d19
2d2a5a22bc983829cfb4627a271fbd4e
1daca30b2b6c0ef60e02df04e656e990
160a4674d1a4048d80b3617538c5c764
0a7267cd89dbcf83df8dfdbc7ce990d3
1acd986526609075edd0ab9524f7bdb3b1cc8fcd
a1fe86f1edced6bb4908d0a54fe34741a859810d
c930e4a73de90494bfee36c8aff123c08444a668
5d88cd5c1e70a8517f4815f81db367f40cf19081
b95cbcd9a0904aff6b2901feb53f4c363065604e
6fcf8bb95fcd3044a9e53be552abe23af119a281
fc450afcd45e96fc1140c59c1b30071923fb190c
f3a1754db80f820305388c0bcb2c1362e77f7174
f7f2eecd03f1bd645476e9bca70cf54c7c4a4c5f
3038942be16df7531eb2ac343028ee90a4b62aee
e821074d109d9497e87cc67988b56e0b397735ac
5c0bcbf9dfff41f27b1df70faffda29d964ba9a0
e26dfdb564886ad88583f68df89af4ddc56b7fc7
de964d4df58b4c29fda773e7724c03723475046b
6bb4b2fa3a74d77a16b73b8b60779d1f6f939b65
13c050859fa16ac45ae4bfcfb22ed19793f3b03c
73bf9e625f087e2b9a05224431d96c6c3f1cb332
3932df55cfa2cb10676bcca26099d931cd269921
cc9c359a07a3052bec24152d07cce6149da8730e
37bfba7e7847e5b6d53e7ee8db112120d1eb6716
61126de1b795b976f3ac878f48e88fa77a87d7308ba57c7642b9e1068403a496
cbb0d1d2a9a93464e0b77844088875ef75bb4904efa189ad7d7d15d3dde4d800
c6add04be76ec96445a2418b6e7cc52faa4671ceea98e1f9050ced82e54df5f4
b75f1a42db354e1552360fee17727198e3a70158ca1f78c8c41f2b92bde0114a
b3fa794ac8d4b8577a61109b96262fd83d9ebf6717d006cb9b5e5638cb234b70
b39bfb51c0c8e2e216123ca619d45b995371cacf68d0ef7a8cd6b658aa8e68de
b08247c9c0cd3bd8f805f49e08131d78be25e9e8691aab2fab74bfee8fab6a9d
aea6fc31e3a6df3fae067535ab6dc83518ef39662865ec6b1a7bd65bd640b137
a73900ed8479bfcfbeff20c95dfdb941aa67ea24aeebd07e5e4162d6f4ffb50d
a4c73aabb9e37b06cebb95b339a24b567ee6c996d129ad9b4fcb6ac029cc2fee
7fd53917c03a9e2734abc50b43e2aabae04b440d1f88c89cf727e5e6ad9f040a
710fb650f05011b3a084d1b62c532e3f1f34cdd79c297b5394597e4bae820024
68510adc7bd2bbc4438b4495c61ffd8a31c68fc53415a1a0ad8cbf70124a58f3
66ebe6ca19059102193a67034f6f726783050571af484fd53c07fa5e36cdec43
56835a799dde8d9ec2d34493fb7207bff069c0deac9942ece427721853709d91
557809ad788cd565c7515ce150109f8bddcdec02ad383039b5401305a479562c
5266b38ad229e89f9afd2464b8f609d33c0f068dc7fe54d9cdc06624826cedc5
5252cc9dd3a35f392cc50b298de47838298128f4a1924f9eb0756039ce1e4fa2
50d97a35df81fc2c19b1f1893ae8ac552839b65adf662aa4dedd4923f5097608
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675
331177ca9c2bf0c6ac4acd5d2d40c77991bb5edb6e546913528b1665d8b501f3
29b5a12cda22a30533e22620ae89c4a36c9235714f4bad2e3944c38acb3c5eee
2946ef53c8fec94dcdf9d3a1afc077ee9a3869eacb0879cb082ee0ce3de6a2e7
28adb5fa487a7d726b8bad629736641aadbdacca5e4f417acc791d0e853924a7
210c7f7330f66a248d3cb90bfeefcdb68d5771b1bfc976c7607deedf626d4391
1a0753164f53de108ec44958bfa8f01a37d08e75b0436ed6b9961de9fd7bc669
165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8
146e554f0d56db9a88224cd6921744fdfe1f8ee4a9e3ac79711f9ab15f9d3c7f
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b
0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
036de5693b7e3821b0177a72a57e4ef87530c14999674a8fd967ee3cfe2aafc6
36a5e08d7df6e59eade26c1500f5c43e
fe4e0f05e9a1367e06249b3ae5417991
155bb7cf402692499249497da3cd6688
f150cfa25c868b22627c72ca7a8f4505
79e30272e2f05de00ef02921d05b6a10
582ba1f95ecceb5c0fd4e8006b5942b7
87cf18a8b06ffd18e41ccaef359a1e08
3f8ec2a8f093fb4e8fc114aa00cc3084
04beb037eef22a1e0eef391b201a173d
6204cffae90c925e0cd81e338f8881ec
– https://bazaar.abuse.ch/
d7051ad6ad4f278e54651e289fb01c034261bdb3e366ccea8c55fa834979118
14db90c83f43d96505e48dc86efa5c57be8474fc993f00fb7d14d5ba4e21c341
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275
– https://tria.ge
9dc5c238772cd15cd293e061af09f3d3a2e8e02b5d3fdd8378beadb8e797d1e9
8e7badf2f7200085e0cce9c08a8a926a7492dca3f6a043e333ee6d112ebc0779
08d459a68bd957e905fdbe55cf402c70a07af9ddcd1aa2cac3d2e386a5888e64
8d14c0c8faf6249b67a1d19b7bd1404eb416304d8f5c73b3bdc9c69367e829de
8a67ddc6e0166cb54eace3c5ca68b75f787d7fea5498310cb7589d7b59e83fd2
6d6f5e27655f5d669d17dbda9d838f74d043b042f3c86c53b32f7c5f863ba4b2
6c68f61ddd1c17b8bef5080ee8b113ebaa90c415a11a137f74a73429fb79877d
6c40bc4bd88759b8bab164742f0d617a576e5488d816a7ce53e9ee71918fbd5e
5f171bd6646d203350bab1ac76aa789479b0af70616022d40b9c1efd9fd73cb9
5ed35749f1d364154a86bc267a7b9a2950419c0cde8cb5dae28d509cfd1f29e7
5de59f82075248016b636a7f4482bbe9d5033c79e00a25f14eeb6cb4ee4827e4
5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761
5bb921f5bb3cb83a185f61f01969f0574898a9d334161cc5a8328b3c690b857b
5af3a0894eb834e2b539d8c340995450531325abef1ddf14fc35b463ab9867ae
4facb2ac8b60c30b6e8b7197f89e998e4d4bc65d146646efbfe18d4009656fc0
4ee8f3dfc335090140caf25a1d0164cf2c5b44f6aa0e8542148306fcc38ccbc6
4c4477f81ec823fa43bc2499d0fac1c8ccc1e828f1086aa8bfc7ba7122605da2
4b73d3a346d2f93034ffe21674408bed171c2d1e1900ceb7495bade1538414c6
3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a
03d32c3ac340e03040062f742e65ef906a7feaac005631bdff99c2a2897b5100
3acc2fe6f50d58783cfe8381c3f3a79936f6467abb55a2e1552245d5b373160f
2e9b7cc95a762bac1bbf78d474cdfccc9ece1ece86b48f02ac17956345483e7e
2c277c4960f11e457fdc506d139d6a6064c3b967834d1e986c68b508cae55cd0
2bfdaec2c8e4b66d6c9c3b5887c8cd94e4e590c593169c1e11b06e3240c87803
2bee8d8a13aa860bbad160856fb8182017d88b967d96bab10919c713c39f24bf
02bbe38cf1dd1979ccf3d3ce07c2e203889627eb92aad7a9c2e8d596d9e97067
2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b
1e8df42c2e51f919886eaf955c8fc9630ba9aca8bba47b1541ead131feb55a11
1e4b2814d3e93672d296fef19b9aa22ea31c0a1f9267eabd02ad5cec74e4aed8
1a549736456c80824ec31238ded6013bca128110ac39ed8e366b57736b03c9cd
0f00006f8127d73e844002ada268b387a16da70d30ca7fc1911d7357cf0f35b2
0deb85139b317a40e3e90c998b7c312a9c206aea7f293c7f098e6f2e52f44a3d
1d5f21f26caefe394d6b217a654f0effb6a6a986257229daf447e8b8966f693e
a4916f463007f597afe3cd7da3bd1e9ac6c48862dae15f4671ca1b72d163ce62
ab232a7c1160eae45cb0d5486635d1de6bf7c00527987abf90ad3410c615201c
f70c8b49a7e79a338bfe4a3db293f6be2001afdc37a45bbaab5ecf0c7dea01a0
753150ba6023cdcbb72767dcfc897b59f546e76d8b38d4c36b2b3eef814cccc1
– https://twitter.com/JAMESWT_MHT/status/1372158736421240836 (Muestra activa de Avaddon)
hxxps[://]bitbucket[.]org/tanake5518/fi/downloads/exe_morris[.]mcdermott[.]exe
Descarga de IOC’s
Los IOC’s pueden ser descargados en formato OpenIOC, STIX o CSV desde nuestra cuenta en AlienVault OTX: https://otx.alienvault.com/pulse/60b2d8f6ad3c50856650a462
##################################################
A modo general, recomendamos mantener un servicio de monitoreo continuo de ciberamenazas, que incluya Ethical Hacking Continuo, Threat Hunting y CiberInteligencia.
Es muy importante además, establecer un plan de emergencia para el parchado inmediato de vulnerabilidades de riesgo Alto/CrÃtico que permitan obtener el acceso inicial a la red interna y seguir las recomendaciones básicas de Ciberseguridad (https://www.ftc.gov/system/files/attachments/cybersecurity-small-business/cybersecuirty_sb_factsheets_all.pdf)
IMPORTANTE: Desde este Viernes 28 de Mayo al menos dos empresas en Chile se encuentran comprometidas y luchando en contra de una infección por Ransomware en la red interna, se desconoce la atribución del ataque pero claramente el Ransomware es una de las mayores amenazas a dÃa de hoy en el ciberespacio y Avaddon es una clara referencia.
Esta información será actualizada a medida que se tengan nuevos antecedentes.


Threat Researcher en CronUp Ciberseguridad
LÃder Red Team & Cyber Threat Intelligence.