Ave Maria

Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server

Type
Stealer
Origin
Unknown
First seen
4 December, 2018
Last seen
28 February, 2020
Also known as
AVE_MARIA
Warzone RAT
Global rank
25
Week rank
12
Month rank
17
IOCs
764

What is Ave Maria malware?

Ave Maria is a remote access Trojan, infostealer and keylogger. It is a malware that attackers can use to gain remote control of machines that it infects. When researchers first discovered this Trojan it was thought to be rather simplistic. However, later samples surprise with advanced functions.

The malware is available in the form of a one or three months subscription and can be freely purchased from the attackers, which is typical for this type of virus. Users can also purchase a dynamic DNS server from the same distributor to complete the package.

General description of Ave Maria malware

Ave Maria is a modular RAT with an advanced design. Though when it was first discovered researchers believed that the malware is fairly simple, it was later revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control.

Furthermore, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox are not safe despite the utilized PK11 encryption.

However, some parts of the malware appear to be unfinished which may suggest that the authors are still working on expanding its functionality even further. Considering how effective this RAT already is this idea is nothing but worrying.

Ave Maria Trojan uses a DLL hijacking exploit that at this point doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.

Once the malware achieves this initial target it downloads additional plugins and even other viruses like Lokibot to the machine.

Interactive analysis of Ave Maria malware

A video recorded in the ANY.RUN malware hunting service displays the execution process of Ave Maria. Users can utilize this information to take a deep dive into how this malware functions under the hood.

ave maria execution process graph

Figure 1: Shows the graph of processes generated by the ANY.RUN malware hunting service.

text report of the ave maria analysis

Figure 2: ANY.RUN allows creating customizable text reports that contain detailed and nicely structured information. This functions is perfect for making presentations.

Ave Maria malware execution process

Ave Maria RAT execution process can vary a little different from one version to another. Since the main vector of this malware’s distribution is malicious spam email campaigns, it usually exploits CVE-2017-11882 (Microsoft Equation Editor) vulnerability but can infect a system in several other ways.

In the analysed sample, Maldoc gets downloaded and executed through macro. Then, the malware copies and runs itself from %temp% directory. To establish persistence, Ave Maria Trojan changes the autorun value in the registry and creates a scheduled task. For privilege escalation, the malware uses pkgmgr.exe to load a malicious DLL (dismcore.dll) that starts a malware instance with higher privileges. Also, the virus often injects into the explorer.exe process.

After all these steps, Ave Maria RAT starts its malicious activity such as keylogger function and saves all keystrokes and other user activity into a file, establishes a connection with the C2 server, steals more data from the system and so on.

Distribution of Ave Maria malware

Ave Maria like many other RATs is distributed in email spam campaigns that deliver a malicious attachment. However, attackers often use phishing techniques which means that they tailor the emails to suit each targeted segment of potential victims more closely than in typical email spam.

The danger of Ave Maria RAT distribution method along with tailored campings lies in the lack of macros use or the need for user interaction after a malicious document is downloaded by the victim. The infection often begins due to the use of a Microsoft Equation Editor exploit that is utilized by an embedded object which is contained in the downloaded document.

How to detect Ave Maria malware using ANY.RUN?

Ave Maria malware performs information stealing offline which causes it to save data locally on an infected system. To find out what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering". These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file just click on a file’s name.

information stolen by ave maria Figure 3: Information stolen by Ave Maria

Summary

Ave Maria malware should be considered a serious threat to cybersecurity. It utilizes a vulnerability that may remain unfixed for the foreseeable future.

Additionally, the joint effect from highly targeted phishing emails and lack of need for the user interaction to begin execution make the chance of contamination with this malware larger than average. We should also add the fact that the latest samples of the malware showed a lot of advancements compared to the first reportings. It is safe to assume that Ave Maria will be upgraded down the line.

This threat is fairly new and right now there is limited information about Ave Maria RAT. All the more reason to utilize advanced functions provided by the ANY.RUN malware hunting service and dissect the available samples. Unfortunately, we must admit that it is likely that we will hear about this malware again and the more prepared we are then, the better.

IOCs

IP addresses
79.134.225.32
185.140.53.245
185.140.53.246
79.134.225.103
95.213.195.71
185.244.30.160
193.161.193.99
79.134.225.70
111.90.146.27
91.189.180.206
128.90.105.184
79.134.225.105
66.154.98.108
46.246.80.70
79.134.225.71
79.134.225.10
185.244.30.57
185.140.53.135
79.134.225.75
147.135.100.70
Hashes
9b9a1186e5f1e368029d14cd063e305e853fecea7d4fcf2947a8ccc06a431037
fb3170ee247a0266c44402e3cc5e3a32c2ea908cb9e3f4e91e362079f901f34c
a6a30665930287cbd29e15b98a91950379d81911c2778bfa21c03b17fbb6f75a
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923
733ea14e14e25071306c80b9e0aa04b4cb91ae8176bdec1418235a381a510450
79e98d237943ba95fcd2cbc48cf6fedb492e8256927cdf920d321b887cb0090a
dcbbb05665d4141a4fdd0429c7eaf8b47b2d50abe685441e383bcb100e157390
9c10a43124c5714ee40935fedbb4134904a7f523aa5efffade988f7b1b3b5c45
1c6d330a95e5a17c21998b215a73884c125ba05bb2a148edfb72ea26eb897645
374c50ecd800c4a9faefd7d9b30cd091a893cf749977588edbce042beac32c7b
531d967b9204291e70e3aab161a5b7f1001339311ece4f2eed8e52e91559c755
3a2ab5eb9119fb750cd85ff3db4568302cea8ec68d097c591d1a939c5b6ae7c4
c5d0b5d2cfd6e96004a37b465851b4435a5a82f2e588557952ee45010fa90b08
ede40068b913e6126c215d2509709e20078206bb2ef11333739a1615efdb5023
bdc829c2f9405ca9b21c4d70a027ff6500d16c042d4d35060a5426654d223f80
bd2c9f6ca50c1b0aa31a04fae6f72d969c10d6c09c676032a3b2d9e7a8e2e1fb
68c3f574899f3e5b9cfc8d405f95df24d359972f7ba275a5ac223e832b091e52
5bcf1011d75c29da088d602b20cc81a5fcd198b5e1733b75b3695cd8743a3547
aade545b1743d646f501c969426dd2059bd40cf506987e2f9209a5e22228a462
f46b7db4cb8031110c4bbbaec672f8405e0032dc5f2979c21db7825ccd266127
Domains
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
soucdtevoceumcuzao.duckdns.org
millionways.duckdns.org
u868328.nvpn.so
ddns.thingsthings.xyz
morrisshittu.linkpc.net
wealthyme.warzonedns.com
wealthyblessed.warzonedns.com
oscarule.duckdns.org
emanichikli.duckdns.org
debarrz.ddns.net
wealthismine.ddns.net
wealthme.ddns.net
brianbriano.ddns.net
wealthadmin.ddns.net
adams.publicvm.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is one of the most dangerous trojans to have been created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.
Read More