Ave Maria

Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.

Type
Stealer
Origin
Unknown
First seen
4 December, 2018
Last seen
21 May, 2022
Also known as
AVE_MARIA
Warzone RAT
Global rank
23
Week rank
11
Month rank
12
IOCs
6297

What is Ave Maria malware?

Ave Maria is a remote access Trojan, infostealer, and keylogger. It is malware that attackers can use to gain remote control of machines that it infects. When researchers first discovered this Trojan, it was thought to be rather simplistic. However, later samples surprise with advanced functions.

The malware is available in the form of a one or three months subscription and can be freely purchased from the attackers, which is typical for this type of virus. Users can also purchase a dynamic DNS server from the same distributor to complete the package.

General description of Ave Maria malware

Ave Maria is a modular RAT with an advanced design. When it was first discovered, researchers believed that the malware is fairly simple and won't follow Ryuk ransomware's story. After the later analysis, it was revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control.

According to the analysis, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox is not safe despite the utilized PK11 encryption.

However, some parts of the malware appear to be unfinished. And it looks like the authors are still working on expanding its functionality even further. Considering how effective this RAT already is, this idea is nothing but worrying.

Ave Maria Trojan uses a DLL hijacking exploit that, at this point, doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.

Once the malware achieves this initial target, it downloads additional plugins and even other viruses like Lokibot to the machine.

Interactive analysis of Ave Maria malware

A video recorded in the ANY.RUN malware hunting service displays the execution process of Ave Maria. Users can utilize this information to perform a deep analysis of how this malware functions under the hood.

ave maria execution process graph

Figure 1: Shows the graph of processes generated by the ANY.RUN malware hunting service.

text report of the ave maria analysis

Figure 2: ANY.RUN allows creating customizable text reports that contain detailed and nicely structured information. This function is perfect for making presentations.

Ave Maria malware execution process

Based on the analysis, the Ave Maria RAT execution process can vary a little differently from one version to another. Since the main vector of this malware’s distribution is malicious spam email campaigns, it usually exploits CVE-2017-11882 (Microsoft Equation Editor) vulnerability but can infect a system in several other ways.

In the analyzed sample, Maldoc gets downloaded and executed through macro. Then, the malware copies and runs itself from the %temp% directory. Ave Maria Trojan changes the autorun value in the registry and creates a scheduled task to establish persistence. The malware uses pkgmgr.exe to load a malicious DLL (dismcore.dll) that starts a malware instance with higher privileges for privilege escalation. Also, the virus often injects into the explorer.exe process.

After all these steps, Ave Maria RAT starts its malicious activity such as keylogger function and saves all keystrokes and other user activity into a file, establishes a connection with the C2 server, steals more data from the system, and so on.

Distribution of Ave Maria malware

Like Revenge, Glupteba and many other RATs and ransomware, Ave Maria is distributed in email spam campaigns that deliver a malicious attachment. However, attackers often use phishing techniques to tailor the emails to suit each targeted segment of potential victims more closely than in typical email spam.

The danger of the Ave Maria RAT distribution method, along with tailored campaigns, lies in the lack of macros use or the need for user interaction after a malicious document is downloaded by the victim. The infection often begins due to the use of a Microsoft Equation Editor exploit utilized by an embedded object contained in the downloaded document.

How to detect Ave Maria malware using ANY.RUN?

Unlike ransomware, Ave Maria malware performs information stealing offline which causes it to save data locally on an infected system. To get the analysis of what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering." These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file, click on a file’s name and start the analysis.

information stolen by ave maria Figure 3: Information is stolen by Ave Maria

Summary

Ave Maria malware should be considered a serious cybersecurity threat as RATs or ransomware. It utilizes a vulnerability that may remain unfixed for the foreseeable future.

Additionally, the joint effect from highly targeted phishing emails and lack of need for the user interaction to begin execution make the chance of contamination with this malware larger than average. We should also add that the latest samples of the malware showed a lot of advancements compared to the first reportings. It is safe to assume that Ave Maria will be upgraded down the line.

This threat is fairly new, and right now, there is limited information about Ave Maria RAT. All the more reason to utilize advanced functions provided by the ANY.RUN malware hunting service for analysis and dissect the available samples. Unfortunately, we must admit that it is likely that we will hear about this malware again, and the more prepared we are then, the better.

IOCs

IP addresses
3.22.53.161
79.134.225.45
79.134.225.54
82.202.167.67
76.8.53.133
212.192.241.211
103.176.113.85
37.0.14.199
84.38.133.165
3.13.191.225
3.22.30.40
194.180.224.89
199.102.44.154
217.182.15.153
216.38.2.208
46.183.222.7
3.141.177.1
45.137.22.143
216.246.49.168
37.0.14.204
Hashes
fdc1e685156902bdc98dafa83d13c08c0cd2ec816a5acd3598615f290f5239f0
a9e823696e9c25dda75eae39878e430238e78b379bb51a0658d8fd93bd2c604d
b5e73c2b8b50b1c740be595901470cd8ea7dc3354db310187abef4974373cf52
b8994303ef0780d3d11c7549465c0c2f2ea73e782c32961f1422289f202168c8
619d93f8dedd10e300ace9c45c1fa5cade999b89e1aa7a3db28d89ddf0f04599
ef53124154aa574617902aadcf1788e4fb9417313aae8e652c6bd7749986735e
218d41b9ae9cf58f81959ba645df5ad31f18046dc4338c86b0bb5190ee451389
f3617039d91185cb87c871b81601241371570366e47992c94434f494e3133648
62de5582c8c8dad5e6ae1e6008e3883c72b59de0b17cec54be78a888d4097dc2
0219fb9e28e26922c3deb936c16e1a9df7a314136949ec257137d0123beb245a
3e6e50db92b0cb4ade25774d7c9696c7d38e9b253c87938a7d0355d842995321
4c3c2596ae1617b31d06d9eed15e3d1c40c25d944e5418896c595dab6ae7f553
7d8875d99d49ed178c0e2dbdabc3bf4f1494c2dbead1e8841ae12859cd2b9ff7
4160d9f019f270da35ccb0d7242b7495ae64ad94e3a413c7bb8e6800592e7c63
c606a895308ae329768f671e7bcc0e186d57166d59448c792f86e3a803f8bbe9
8d4020bea8924365724ff2c7eaffa0541f0ac4712c6b0a4723c5f68858fa306c
c96f6de4762d4003bab4ac6f3d82c4795487ee02ba51bd471fb3d90bf216ac46
b3e4cffa53471d8e1240465d8cd40acfc3e46df87ad24028f6fae1589f4a6d8b
0b2bfb9e06a4a926b8cba73fe9e9dfb793bb37b6d153cababbf33db1757104ba
16bc7a5b3046f64260b9b5cb075d9397e35e9e553ff7b82ca0647ec8bf7a50e7
Domains
googleapis2m.duckdns.org
susur2334.duckdns.org
2.tcp.ngrok.io
gratiyupo.ddnsfree.com
WindowsAuthentication324-49629.portmap.host
kingsdoggy12.hopto.org
booking.msg.bluhotels.com
booking.msg.bluhotels.com
ticket.ipv10.eu
3jkpvk2m8y.dattolocal.net
grace.adds-only.xyz
device-local-3193b8ff-0889-41c5-8fd6-67066f88b277.remotewd.com
majul.com
coolthingy.duckdns.org
dimitriv.duckdns.org
christs.duckdns.org
bushaka009.duckdns.org
eceda.duckdns.org
notmine.duckdns.org
doc5.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dharma screenshot
Dharma
dharma ransomware
Dharma is advanced ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information.
Read More