Ave Maria

Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server

Type
Stealer
Origin
Unknown
First seen
4 December, 2018
Last seen
20 October, 2020
Also known as
AVE_MARIA
Warzone RAT
Global rank
23
Week rank
10
Month rank
18
IOCs
2312

What is Ave Maria malware?

Ave Maria is a remote access Trojan, infostealer and keylogger. It is a malware that attackers can use to gain remote control of machines that it infects. When researchers first discovered this Trojan it was thought to be rather simplistic. However, later samples surprise with advanced functions.

The malware is available in the form of a one or three months subscription and can be freely purchased from the attackers, which is typical for this type of virus. Users can also purchase a dynamic DNS server from the same distributor to complete the package.

General description of Ave Maria malware

Ave Maria is a modular RAT with an advanced design. Though when it was first discovered researchers believed that the malware is fairly simple, it was later revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control.

Furthermore, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox are not safe despite the utilized PK11 encryption.

However, some parts of the malware appear to be unfinished which may suggest that the authors are still working on expanding its functionality even further. Considering how effective this RAT already is this idea is nothing but worrying.

Ave Maria Trojan uses a DLL hijacking exploit that at this point doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.

Once the malware achieves this initial target it downloads additional plugins and even other viruses like Lokibot to the machine.

Interactive analysis of Ave Maria malware

A video recorded in the ANY.RUN malware hunting service displays the execution process of Ave Maria. Users can utilize this information to take a deep dive into how this malware functions under the hood.

ave maria execution process graph

Figure 1: Shows the graph of processes generated by the ANY.RUN malware hunting service.

text report of the ave maria analysis

Figure 2: ANY.RUN allows creating customizable text reports that contain detailed and nicely structured information. This functions is perfect for making presentations.

Ave Maria malware execution process

Ave Maria RAT execution process can vary a little different from one version to another. Since the main vector of this malware’s distribution is malicious spam email campaigns, it usually exploits CVE-2017-11882 (Microsoft Equation Editor) vulnerability but can infect a system in several other ways.

In the analysed sample, Maldoc gets downloaded and executed through macro. Then, the malware copies and runs itself from %temp% directory. To establish persistence, Ave Maria Trojan changes the autorun value in the registry and creates a scheduled task. For privilege escalation, the malware uses pkgmgr.exe to load a malicious DLL (dismcore.dll) that starts a malware instance with higher privileges. Also, the virus often injects into the explorer.exe process.

After all these steps, Ave Maria RAT starts its malicious activity such as keylogger function and saves all keystrokes and other user activity into a file, establishes a connection with the C2 server, steals more data from the system and so on.

Distribution of Ave Maria malware

Ave Maria like many other RATs is distributed in email spam campaigns that deliver a malicious attachment. However, attackers often use phishing techniques which means that they tailor the emails to suit each targeted segment of potential victims more closely than in typical email spam.

The danger of Ave Maria RAT distribution method along with tailored campings lies in the lack of macros use or the need for user interaction after a malicious document is downloaded by the victim. The infection often begins due to the use of a Microsoft Equation Editor exploit that is utilized by an embedded object which is contained in the downloaded document.

How to detect Ave Maria malware using ANY.RUN?

Ave Maria malware performs information stealing offline which causes it to save data locally on an infected system. To find out what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering". These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file just click on a file’s name.

information stolen by ave maria Figure 3: Information stolen by Ave Maria

Summary

Ave Maria malware should be considered a serious threat to cybersecurity. It utilizes a vulnerability that may remain unfixed for the foreseeable future.

Additionally, the joint effect from highly targeted phishing emails and lack of need for the user interaction to begin execution make the chance of contamination with this malware larger than average. We should also add the fact that the latest samples of the malware showed a lot of advancements compared to the first reportings. It is safe to assume that Ave Maria will be upgraded down the line.

This threat is fairly new and right now there is limited information about Ave Maria RAT. All the more reason to utilize advanced functions provided by the ANY.RUN malware hunting service and dissect the available samples. Unfortunately, we must admit that it is likely that we will hear about this malware again and the more prepared we are then, the better.

IOCs

IP addresses
94.158.245.3
3.131.147.49
193.161.193.99
95.168.173.176
3.22.30.40
3.131.123.134
13.59.15.185
79.134.225.93
3.13.191.225
79.134.225.92
79.134.225.97
150.242.14.61
13.59.15.185
79.134.225.71
79.134.225.115
103.199.17.61
192.236.249.173
201.97.121.207
185.165.153.108
79.134.225.85
Hashes
bc2537cdb97898a72fe573372488c2fa8814ea39b5ac5f1d1c1dcb2818135262
78dcacf7c79de953432bc37e2e8572f28611ba6cc9a69bdd7f4800bcea0c6939
1890f57b87f10179f2166f9570829a70a247825c1bdd6d0233dc0a87d171707d
d42a3a5c1e81a09665c6eec76f5746b3c6774b7ec6058e1cd1271dee3f5b4ea0
aa4e2696bcaf8829c80af64cf785a43c6aeff3f42ef5e69181c9d0e02834d2af
722be86f41d104c0f037153470da99ecfa9afe6dd4b388750e000522460c90c5
c0131a0245e50517652afa367a2e8846c1c1f13d5acb5fd48c76b26ebb8e59b5
91292df65ea051a8cd7009382fb66c6b3fed39e8ddc3a27e38c990e2b69ea942
66b6e4517951dc288fe97b820db4207e9bac981a61c1f16a0a6a7a70093a1f7b
e9ffb10439dd99939eec9060ac43422811166c0d81f451a0d3cacb3257f546ce
f485674f823b020ef24e3e7d0a57536cc9101f7f951141801c3c8ed3c2a4fccc
2e71c6bfa6992e721f524c21c71d089ae64a19c90b189cc182bec8a58d1473ec
cbd5b1f8b4470517f9acd7c8e90438cd117c319658f7d2a4bce4d281555a0340
bf5cdc2c9c756413eda697475ec8225c32f596839b32adb1eeb6cea9470a1333
fb49c7a6aac81e8a7e1eda4a0fa6b874f2a1dee1480a3d1e99e4c0141f41e54e
f95f37e58a070a22f391183ebf07c1a0a48c16419a0654981186e6642f6cd2d6
cb8de00fa5204abdf31c11aff269acfddd98d7b1ade037427113a88f5fadfcaa
355cc6db8475d3135b39b7ed9424f658edfe8ff84b508d74c978f0da3d376846
622c48a052fbbc1859678ec8a5f604ff9a1a368df282758e60b766c96c2555fb
92cb920a179ba20d60097dbde4cf0509c16b5fb76cc10c814678acf3484844cd
Domains
2.tcp.ngrok.io
bigshazza-20890.portmap.io
ziperd-48946.portmap.io
kubar-44613.portmap.io
zoroark-51867.portmap.host
DarlingSH-37506.portmap.host
jorankh-31689.portmap.host
jorankh-34614.portmap.host
toxete5095-30806.portmap.io
eclipseelisa7-25341.portmap.io
Mattrevwizard-43846.portmap.host
Kupcia-53901.portmap.io
Amazonsupport-58169.portmap.host
dovydas560-41641.portmap.io
ratergod-43995.portmap.host
167e-35300.portmap.io
mcnova10-32892.portmap.host
TonyChocolony-31151.portmap.host
tester894-49756.portmap.host
Crabshrimp-58382.portmap.host

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dharma screenshot
Dharma
dharma ransomware
Dharma is an advanced Ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files and demands a payment to restore access to lost information.
Read More