Ave Maria

Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.

Type
Stealer
Origin
Unknown
First seen
4 December, 2018
Last seen
23 October, 2021
Also known as
AVE_MARIA
Warzone RAT
Global rank
24
Week rank
18
Month rank
14
IOCs
4902

What is Ave Maria malware?

Ave Maria is a remote access Trojan, infostealer, and keylogger. It is malware that attackers can use to gain remote control of machines that it infects. When researchers first discovered this Trojan, it was thought to be rather simplistic. However, later samples surprise with advanced functions.

The malware is available in the form of a one or three months subscription and can be freely purchased from the attackers, which is typical for this type of virus. Users can also purchase a dynamic DNS server from the same distributor to complete the package.

General description of Ave Maria malware

Ave Maria is a modular RAT with an advanced design. When it was first discovered, researchers believed that the malware is fairly simple and won't follow Ryuk ransomware's story. After the later analysis, it was revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control.

According to the analysis, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox is not safe despite the utilized PK11 encryption.

However, some parts of the malware appear to be unfinished. And it looks like the authors are still working on expanding its functionality even further. Considering how effective this RAT already is, this idea is nothing but worrying.

Ave Maria Trojan uses a DLL hijacking exploit that, at this point, doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.

Once the malware achieves this initial target, it downloads additional plugins and even other viruses like Lokibot to the machine.

Interactive analysis of Ave Maria malware

A video recorded in the ANY.RUN malware hunting service displays the execution process of Ave Maria. Users can utilize this information to perform a deep analysis of how this malware functions under the hood.

ave maria execution process graph

Figure 1: Shows the graph of processes generated by the ANY.RUN malware hunting service.

text report of the ave maria analysis

Figure 2: ANY.RUN allows creating customizable text reports that contain detailed and nicely structured information. This function is perfect for making presentations.

Ave Maria malware execution process

Based on the analysis, the Ave Maria RAT execution process can vary a little differently from one version to another. Since the main vector of this malware’s distribution is malicious spam email campaigns, it usually exploits CVE-2017-11882 (Microsoft Equation Editor) vulnerability but can infect a system in several other ways.

In the analyzed sample, Maldoc gets downloaded and executed through macro. Then, the malware copies and runs itself from the %temp% directory. Ave Maria Trojan changes the autorun value in the registry and creates a scheduled task to establish persistence. The malware uses pkgmgr.exe to load a malicious DLL (dismcore.dll) that starts a malware instance with higher privileges for privilege escalation. Also, the virus often injects into the explorer.exe process.

After all these steps, Ave Maria RAT starts its malicious activity such as keylogger function and saves all keystrokes and other user activity into a file, establishes a connection with the C2 server, steals more data from the system, and so on.

Distribution of Ave Maria malware

Like many other RATs and ransomware, Ave Maria is distributed in email spam campaigns that deliver a malicious attachment. However, attackers often use phishing techniques to tailor the emails to suit each targeted segment of potential victims more closely than in typical email spam.

The danger of the Ave Maria RAT distribution method, along with tailored campaigns, lies in the lack of macros use or the need for user interaction after a malicious document is downloaded by the victim. The infection often begins due to the use of a Microsoft Equation Editor exploit utilized by an embedded object contained in the downloaded document.

How to detect Ave Maria malware using ANY.RUN?

Unlike ransomware, Ave Maria malware performs information stealing offline which causes it to save data locally on an infected system. To get the analysis of what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering." These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file, click on a file’s name and start the analysis.

information stolen by ave maria Figure 3: Information is stolen by Ave Maria

Summary

Ave Maria malware should be considered a serious cybersecurity threat as RATs or ransomware. It utilizes a vulnerability that may remain unfixed for the foreseeable future.

Additionally, the joint effect from highly targeted phishing emails and lack of need for the user interaction to begin execution make the chance of contamination with this malware larger than average. We should also add that the latest samples of the malware showed a lot of advancements compared to the first reportings. It is safe to assume that Ave Maria will be upgraded down the line.

This threat is fairly new, and right now, there is limited information about Ave Maria RAT. All the more reason to utilize advanced functions provided by the ANY.RUN malware hunting service for analysis and dissect the available samples. Unfortunately, we must admit that it is likely that we will hear about this malware again, and the more prepared we are then, the better.

IOCs

IP addresses
3.22.30.40
3.13.191.225
47.63.150.250
13.59.15.185
13.59.15.185
3.22.53.161
3.138.45.170
3.131.207.170
3.133.207.110
3.141.177.1
3.141.210.37
3.22.15.135
3.138.180.119
13.58.157.220
193.161.193.99
87.66.106.20
3.136.65.236
3.131.147.49
178.170.138.163
185.140.53.12
Hashes
e652f3fdae32e41ee46d585b0c4cefb7517aa1317b4397441cb372d96e3d4a3f
0b26308a1dd576d2478d6266bd2561a30990ba39dd19da44a92a66ab7c504538
eb1673183637747d0d4e6aa7afecdb7627b1e60598141f8615a066ab0998d45f
721c03c3cc73dddfcf27e473fc9d1962dd59b3cc7f7b70cdc17d2d6a049aed8e
514292c84b8f253fa67e6c1eeafa5cd767040a6c6c24d0699dda852872806ea1
4c0d300b1b0ef99420636b97dc00987883297a809348e0c84ca1283b0f256aa0
5bd2aaa6bb2929adb9671cdc7282229360e281ebb9a5926b75a18238a8384061
1460a17dc07d6849127eed198ac789235349dfa3b6f6430e5fa566e3511e5b64
20c946eadf8195d4d6c9b6634f7f8cfa56cb8e8423a37517556a30ee0aadc053
ceb414d304b84b0c6ba9e148a35e6d84c34bd9f4487dab8d4dffb70e6cbf0b15
9454554ff02715a0e17bde7743b9fa2eb0795058d02c178b148d2c090396dfba
ad424f679f2f0140d5d3297afa4dd1d3e1b82357b68128ab6bc8015495165a66
11f7307f314fccd2b1162443bb699d885f5e325b4b638a10997d98247463acfe
18ee39b57a6705448e72cd4c5ee15f95aa412b763ccecae1fbe0801eb2bf31f9
dd7fee20ca32b3efceee2807f77c7db391ed8281b40829120a02e08494516008
bcc35ce72f7559e9cd1431d3fa0f7ed33cd7f3b5d0cb21970c8e399296527469
58a5be83221386f1bae87b2a785b08c758591bcbc235b21132240feece1972bc
256014572cb606bd3f4b7aff3d03adc25f35fd3df29a20ccb073392d9aa90954
32a3a8f36c4cab6e28a646f7db8659f132a98f2b7169155e543ec1e024dfc211
1142c903a0559833481d199320d433f99a4599db90d4ba0db736a39a8729c7bf
Domains
6.tcp.ngrok.io
isns.net
c316-193-152-126-98.ngrok.io
8ef628b4602c.ngrok.io
52e0ff58833f.ngrok.io
ce47174fc1d2.ngrok.io
9ea2ac777bb9.ngrok.io
jcole-lms.ngrok.io
146ea957fd4f.ngrok.io
e5927c359c3c.ngrok.io
campnab.ngrok.io
4ac213381b6d.ngrok.io
e4f7f2c79c6e.ngrok.io
3a64aa8bcc04.ngrok.io
practicebetter.ngrok.io
516e39f56d87.ngrok.io
5f862d9fc543.ngrok.io
99e94c1ba867.ngrok.io
19ce033f.ngrok.io
0.tpc.ngrok.io

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dharma screenshot
Dharma
dharma ransomware
Dharma is advanced ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information.
Read More