Ave Maria

Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server

Type
Stealer
Origin
Unknown
First seen
4 December, 2018
Last seen
17 January, 2020
Also known as
AVE_MARIA
Warzone RAT
Global rank
26
Week rank
20
Month rank
20
IOCs
686

What is Ave Maria malware?

Ave Maria is a remote access Trojan, infostealer and keylogger. It is a malware that attackers can use to gain remote control of machines that it infects. When researchers first discovered this Trojan it was thought to be rather simplistic. However, later samples surprise with advanced functions.

The malware is available in the form of a one or three months subscription and can be freely purchased from the attackers, which is typical for this type of virus. Users can also purchase a dynamic DNS server from the same distributor to complete the package.

General description of Ave Maria malware

Ave Maria is a modular RAT with an advanced design. Though when it was first discovered researchers believed that the malware is fairly simple, it was later revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control.

Furthermore, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox are not safe despite the utilized PK11 encryption.

However, some parts of the malware appear to be unfinished which may suggest that the authors are still working on expanding its functionality even further. Considering how effective this RAT already is this idea is nothing but worrying.

Ave Maria Trojan uses a DLL hijacking exploit that at this point doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.

Once the malware achieves this initial target it downloads additional plugins and even other viruses like Lokibot to the machine.

Interactive analysis of Ave Maria malware

A video recorded in the ANY.RUN malware hunting service displays the execution process of Ave Maria. Users can utilize this information to take a deep dive into how this malware functions under the hood.

ave maria execution process graph

Figure 1: Shows the graph of processes generated by the ANY.RUN malware hunting service.

text report of the ave maria analysis

Figure 2: ANY.RUN allows creating customizable text reports that contain detailed and nicely structured information. This functions is perfect for making presentations.

Ave Maria malware execution process

Ave Maria RAT execution process can vary a little different from one version to another. Since the main vector of this malware’s distribution is malicious spam email campaigns, it usually exploits CVE-2017-11882 (Microsoft Equation Editor) vulnerability but can infect a system in several other ways.

In the analysed sample, Maldoc gets downloaded and executed through macro. Then, the malware copies and runs itself from %temp% directory. To establish persistence, Ave Maria Trojan changes the autorun value in the registry and creates a scheduled task. For privilege escalation, the malware uses pkgmgr.exe to load a malicious DLL (dismcore.dll) that starts a malware instance with higher privileges. Also, the virus often injects into the explorer.exe process.

After all these steps, Ave Maria RAT starts its malicious activity such as keylogger function and saves all keystrokes and other user activity into a file, establishes a connection with the C2 server, steals more data from the system and so on.

Distribution of Ave Maria malware

Ave Maria like many other RATs is distributed in email spam campaigns that deliver a malicious attachment. However, attackers often use phishing techniques which means that they tailor the emails to suit each targeted segment of potential victims more closely than in typical email spam.

The danger of Ave Maria RAT distribution method along with tailored campings lies in the lack of macros use or the need for user interaction after a malicious document is downloaded by the victim. The infection often begins due to the use of a Microsoft Equation Editor exploit that is utilized by an embedded object which is contained in the downloaded document.

How to detect Ave Maria malware using ANY.RUN?

Ave Maria malware performs information stealing offline which causes it to save data locally on an infected system. To find out what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering". These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file just click on a file’s name.

information stolen by ave maria Figure 3: Information stolen by Ave Maria

Summary

Ave Maria malware should be considered a serious threat to cybersecurity. It utilizes a vulnerability that may remain unfixed for the foreseeable future.

Additionally, the joint effect from highly targeted phishing emails and lack of need for the user interaction to begin execution make the chance of contamination with this malware larger than average. We should also add the fact that the latest samples of the malware showed a lot of advancements compared to the first reportings. It is safe to assume that Ave Maria will be upgraded down the line.

This threat is fairly new and right now there is limited information about Ave Maria RAT. All the more reason to utilize advanced functions provided by the ANY.RUN malware hunting service and dissect the available samples. Unfortunately, we must admit that it is likely that we will hear about this malware again and the more prepared we are then, the better.

IOCs

IP addresses
79.134.225.29
193.161.193.99
23.227.207.135
185.140.53.135
79.134.225.93
79.134.225.70
79.134.225.105
185.140.53.27
185.29.10.108
91.218.65.24
185.19.85.177
79.134.225.103
185.19.85.147
91.189.180.211
185.244.30.160
79.134.225.110
79.134.225.92
94.103.82.165
79.134.225.10
79.134.225.85
Hashes
fe2cce1527c73494faa20cbe50a8972f648c3b9ddd76ab03a708719db85f2e02
9546989585b98a15f0bd9d16dc08f49960b63f2b2e3e87a11cfa2b52a9470438
1d08504b904bcec838977cdb435491e7120ec6fa67a03e83c28046adc6cfc10a
920bf1bab4502d72c14b05e4592cee717e575c43c1ef5df1b0357534ab23fed0
105e1219d553efd68d695b8032668afca77f7e8469b19dd5a17c83b1da51fe6c
5a2d38c79e1ad4782505b28a2eb3a6d58a5e7797e29f24c15835fee1823463ec
66fb77aed1587878096233cfa7462e0148bd68ee14e53dbbefb7b00ae4478f3c
f3179b06311bd568488608af0dde74a9773c7d132761eacbe845551d5cf9f67f
f8a7ce33ec2b3876292deeda03124b64eddc1b53c46eeb1fe21e2daa4c904e9e
ef88670b2edfd9796c8337e5034ac8cb830575647241a97178c10c52ead18348
eb07606a3ecd53aefc80814779b9f38c8a8ebc712a684fe2fe357f27770d112b
b41882a90405eb09c1f394f916ae98eae2a566d4d34d15ea4f4478fa23d5feec
c126daac092987a34ebf7b89612366f76b6a57ca5663ed840c10dd53ba93631e
0e399edac46704514bb391efd2b714c1185e0590e5e40e41993bb5965f41ff38
d81b0c7a9638f51f44c43c1f87ca5d2669dec2018fdc8c61f052dadff7f2685c
16e138c7f406d52300ab95e34966cd4b506615edd546735c7b3018183d7b24d3
3ee3f68b94635b9fc5b75697076a36de4dd8f8f6bba31464576b7a00e52ec372
0b591948314da6a1c248dfee5b406cf7e989863abcbee9c098e6265de15a534f
3882a0279195b762dae8053814e387b4326c22364b46d6b01175cc7c7ed18a72
9826ff5418fe35cbab6465dd359968ffe56bd7b725dbc26d0d8d21c7e3dbc0ec
Domains
fucktoto.duckdns.org
top.citycentrejo.waw.pl
benzkartel.duckdns.org
samuelcity.ddns.net
majul.com
isns.net
vemvemserver.duckdns.org
papa.redirectme.net
meol3555-33874.portmap.host
info1.duckdns.org
googleman.duckdns.org
moran101.duckdns.org
smartcoonect.duckdns.org
duc1234.duckdns.org
onelove03.duckdns.org
westernautoweb.duckdns.org
sciano.duckdns.org
money1234.duckdns.org
tcheck.ddns.net
elx01.knas.systems

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is one of the most dangerous banking Trojans to have been created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.
Read More