Ave Maria

Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.

Type
Stealer
Origin
Unknown
First seen
4 December, 2018
Last seen
16 April, 2021
Also known as
AVE_MARIA
Warzone RAT
Global rank
23
Week rank
12
Month rank
16
IOCs
3397

What is Ave Maria malware?

Ave Maria is a remote access Trojan, infostealer, and keylogger. It is malware that attackers can use to gain remote control of machines that it infects. When researchers first discovered this Trojan it was thought to be rather simplistic. However, later samples surprise with advanced functions.

The malware is available in the form of a one or three months subscription and can be freely purchased from the attackers, which is typical for this type of virus. Users can also purchase a dynamic DNS server from the same distributor to complete the package.

General description of Ave Maria malware

Ave Maria is a modular RAT with an advanced design. Though when it was first discovered researchers believed that the malware is fairly simple, it was later revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control.

Furthermore, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox is not safe despite the utilized PK11 encryption.

However, some parts of the malware appear to be unfinished. And it looks like the authors are still working on expanding its functionality even further. Considering how effective this RAT already is this idea is nothing but worrying.

Ave Maria Trojan uses a DLL hijacking exploit that at this point doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.

Once the malware achieves this initial target it downloads additional plugins and even other viruses like Lokibot to the machine.

Interactive analysis of Ave Maria malware

A video recorded in the ANY.RUN malware hunting service displays the execution process of Ave Maria. Users can utilize this information to take a deep dive into how this malware functions under the hood.

ave maria execution process graph

Figure 1: Shows the graph of processes generated by the ANY.RUN malware hunting service.

text report of the ave maria analysis

Figure 2: ANY.RUN allows creating customizable text reports that contain detailed and nicely structured information. This function is perfect for making presentations.

Ave Maria malware execution process

Ave Maria RAT execution process can vary a little different from one version to another. Since the main vector of this malware’s distribution is malicious spam email campaigns, it usually exploits CVE-2017-11882 (Microsoft Equation Editor) vulnerability but can infect a system in several other ways.

In the analyzed sample, Maldoc gets downloaded and executed through macro. Then, the malware copies and runs itself from %temp% directory. To establish persistence, Ave Maria Trojan changes the autorun value in the registry and creates a scheduled task. For privilege escalation, the malware uses pkgmgr.exe to load a malicious DLL (dismcore.dll) that starts a malware instance with higher privileges. Also, the virus often injects into the explorer.exe process.

After all these steps, Ave Maria RAT starts its malicious activity such as keylogger function and saves all keystrokes and other user activity into a file, establishes a connection with the C2 server, steals more data from the system, and so on.

Distribution of Ave Maria malware

Ave Maria like many other RATs is distributed in email spam campaigns that deliver a malicious attachment. However, attackers often use phishing techniques which means that they tailor the emails to suit each targeted segment of potential victims more closely than in typical email spam.

The danger of the Ave Maria RAT distribution method along with tailored campings lies in the lack of macros use or the need for user interaction after a malicious document is downloaded by the victim. The infection often begins due to the use of a Microsoft Equation Editor exploit that is utilized by an embedded object which is contained in the downloaded document.

How to detect Ave Maria malware using ANY.RUN?

Ave Maria malware performs information stealing offline which causes it to save data locally on an infected system. To find out what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering". These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file just click on a file’s name.

information stolen by ave maria Figure 3: Information stolen by Ave Maria

Summary

Ave Maria malware should be considered a serious threat to cybersecurity. It utilizes a vulnerability that may remain unfixed for the foreseeable future.

Additionally, the joint effect from highly targeted phishing emails and lack of need for the user interaction to begin execution make the chance of contamination with this malware larger than average. We should also add the fact that the latest samples of the malware showed a lot of advancements compared to the first reportings. It is safe to assume that Ave Maria will be upgraded down the line.

This threat is fairly new and right now there is limited information about Ave Maria RAT. All the more reason to utilize advanced functions provided by the ANY.RUN malware hunting service and dissect the available samples. Unfortunately, we must admit that it is likely that we will hear about this malware again and the more prepared we are then, the better.

IOCs

IP addresses
31.220.4.216
3.22.53.161
3.131.207.170
13.59.15.185
13.59.15.185
3.128.107.74
3.13.191.225
3.22.30.40
193.161.193.99
104.209.133.4
3.138.45.170
101.99.91.200
3.22.15.135
3.131.147.49
79.134.225.119
185.104.186.203
91.109.178.6
79.134.225.102
3.133.207.110
91.109.178.2
Hashes
efafb739c4f27b349a4327903bdf30039b499975ab8dbd1e1c31048050966e19
98bfe099448bb6fd9805a64eef2cdcf84c7ea5ac8112540d5f21cc5e8294ed94
5e2d71b05993c4b8e96fec7d0587625bcd45168d1c2deda8be007d7b18da8927
07994d1d85df752cc68578b48b4d8eb5ee61410e16e374337b1895a7bdae5421
5a285b09bbab39447667fb20cb3dfdc2400a7f7e83b759ce09069fb9f4a4772e
7ab4f76b2dcda691cd8e8496d13527170a6e48253c75c8cf7137bfbdb2a8fd63
8d673c2d93ef2f71bc94fa668ba5fcda495772bf1320f2775f1b1b1037abe843
6406aa146ebdf3cab54b20f1c8c0dbaf7329c397a6f247859b406113bd21df7c
878d25d5e336516347db23376a06300f70b254e2084b4abbdcf3b08d88bfca2c
40d4ee1e0fa412176d826027c500bfbc29ee4c65bfd13dcec2f0facd0021399c
13356069fcc14e4acc6e0da16a76a8acc79767e2ebdca084ab67a7d8a559fd8e
9b2f52a11a76966f5b23552a6a1ba8fd3db952c6a11368f2e984fab9345cf705
94e06e20f3c2a738c5f507b08011b5cf5123f57ab23140e9377cd597387bebed
53b7637945616f51b0ffa4de5c35685b87b2039473ebc4f69a1fb581c6236d19
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
38359db5e1d2bc29213bcabc0c19242c108f0c2ab059b7b94bd6b50c10c83584
cc7da14425de7e8d1e1d449cf8de5c64525c767a0b632a0a1070971126b6889b
49dffdd2bd774d0cdb2924d91566c62fbca3ddb766e4f92213cfba1b5e1a184d
890407f2497d9d1d7fbe7f5f823438821b458cf8f5e62eb7f0e3220c342cd68b
14e98f487bcb81ea810e155c7917d298d4ebbc674c795439a1cfa3775f85a679
Domains
booking.msg.bluhotels.com
booking.msg.bluhotels.com
coodyz.site
majul.com
2.tcp.ngrok.io
susur2334.duckdns.org
3.tcp.ngrok.io
facexteste.hopto.org
19ce033f.ngrok.io
0.tpc.ngrok.io
rahac43-61133.portmap.host
Harry9171-41182.portmap.io
anonymouse3805-58890.portmap.io
Darius4u2-50649.portmap.host
gingerpoppop-63411.portmap.host
stfu12-38530.portmap.io
posman-50945.portmap.io
goose15-47184.portmap.io
Nekita26-34678.portmap.io
posloader-24679.portmap.io

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dharma screenshot
Dharma
dharma ransomware
Dharma is an advanced Ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files and demands a payment to restore access to lost information.
Read More