Ave Maria

Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.

Type
Stealer
Origin
Unknown
First seen
4 December, 2018
Last seen
5 October, 2022
Also known as
AVE_MARIA
Warzone RAT
Global rank
22
Week rank
15
Month rank
15
IOCs
6811

What is Ave Maria malware?

Ave Maria is a remote access Trojan, infostealer, and keylogger. It is malware that attackers can use to gain remote control of machines that it infects. When researchers first discovered this Trojan, it was thought to be rather simplistic. However, later samples surprise with advanced functions.

The malware is available in the form of a one or three months subscription and can be freely purchased from the attackers, which is typical for this type of virus. Users can also purchase a dynamic DNS server from the same distributor to complete the package.

General description of Ave Maria malware

Ave Maria is a modular RAT with an advanced design. When it was first discovered, researchers believed that the malware is fairly simple and won't follow Ryuk ransomware's story. After the later analysis, it was revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control.

According to the analysis, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox is not safe despite the utilized PK11 encryption.

However, some parts of the malware appear to be unfinished. And it looks like the authors are still working on expanding its functionality even further. Considering how effective this RAT already is, this idea is nothing but worrying.

Ave Maria Trojan uses a DLL hijacking exploit that, at this point, doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.

Once the malware achieves this initial target, it downloads additional plugins and even other viruses like Lokibot to the machine.

Interactive analysis of Ave Maria malware

A video recorded in the ANY.RUN malware hunting service displays the execution process of Ave Maria. Users can utilize this information to perform a deep analysis of how this malware functions under the hood.

ave maria execution process graph

Figure 1: Shows the graph of processes generated by the ANY.RUN malware hunting service.

text report of the ave maria analysis

Figure 2: ANY.RUN allows creating customizable text reports that contain detailed and nicely structured information. This function is perfect for making presentations.

Ave Maria malware execution process

Based on the analysis, the Ave Maria RAT execution process can vary a little differently from one version to another. Since the main vector of this malware’s distribution is malicious spam email campaigns, it usually exploits CVE-2017-11882 (Microsoft Equation Editor) vulnerability but can infect a system in several other ways.

In the analyzed sample, Maldoc gets downloaded and executed through macro. Then, the malware copies and runs itself from the %temp% directory. Ave Maria Trojan changes the autorun value in the registry and creates a scheduled task to establish persistence. The malware uses pkgmgr.exe to load a malicious DLL (dismcore.dll) that starts a malware instance with higher privileges for privilege escalation. Also, the virus often injects into the explorer.exe process.

After all these steps, Ave Maria RAT starts its malicious activity such as keylogger function and saves all keystrokes and other user activity into a file, establishes a connection with the C2 server, steals more data from the system, and so on.

Distribution of Ave Maria malware

Like Revenge, Glupteba and many other RATs and ransomware, Ave Maria is distributed in email spam campaigns that deliver a malicious attachment. However, attackers often use phishing techniques to tailor the emails to suit each targeted segment of potential victims more closely than in typical email spam.

The danger of the Ave Maria RAT distribution method, along with tailored campaigns, lies in the lack of macros use or the need for user interaction after a malicious document is downloaded by the victim. The infection often begins due to the use of a Microsoft Equation Editor exploit utilized by an embedded object contained in the downloaded document.

How to detect Ave Maria malware using ANY.RUN?

Unlike ransomware, Ave Maria malware performs information stealing offline which causes it to save data locally on an infected system. To get the analysis of what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering." These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file, click on a file’s name and start the analysis.

information stolen by ave maria Figure 3: Information is stolen by Ave Maria

Summary

Ave Maria malware should be considered a serious cybersecurity threat as RATs or ransomware. It utilizes a vulnerability that may remain unfixed for the foreseeable future.

Additionally, the joint effect from highly targeted phishing emails and lack of need for the user interaction to begin execution make the chance of contamination with this malware larger than average. We should also add that the latest samples of the malware showed a lot of advancements compared to the first reportings. It is safe to assume that Ave Maria will be upgraded down the line.

This threat is fairly new, and right now, there is limited information about Ave Maria RAT. All the more reason to utilize advanced functions provided by the ANY.RUN malware hunting service for analysis and dissect the available samples. Unfortunately, we must admit that it is likely that we will hear about this malware again, and the more prepared we are then, the better.

IOCs

IP addresses
168.61.222.215
107.150.19.18
82.102.28.107
79.134.225.95
194.147.140.163
20.168.33.220
213.152.161.15
194.5.98.48
91.109.180.6
51.77.67.168
3.132.159.158
185.222.57.164
62.102.148.158
109.206.241.77
51.195.145.82
37.120.206.69
103.231.91.59
157.245.246.87
172.111.9.225
194.5.97.4
Hashes
2c63b4926ec8ca28ade534c72cf11a63db6f55882d08a1f97575e88986209838
b2925a8f697b01fcab4d4919d3900eedf5fb30960393894837ebba595db378e4
50757b77a949ddcf92e70cb861329bfe1657d5c25f1d287756a5eb181fc127d4
b0ddfc0fe49895037bdca1107a792d7bdf6ef477cd31d00e9756013bde3a9f8e
51a45ca88e45d5fde421a6bb79f7e72b9a8461308bef4482bfd9f72530548e68
d0ea29feebc8734fd4c8d700956908b64546161298bce475099cb4d2b6d76877
220d132632c36995ebb2c36a51e14b6c21b94db5e41a765103f42950ed04b71b
bf64c1524a374361c824cb3054b1c5179922b089872ad817c4666f700332084b
aeb049faf805c590ca7125f2eae56483200815aa964b7cb9677d4a5d63b1bcd1
a303e7410299bcf60c6970d4b5743dcd35c48d24bf0738a1692378c62bdb6e54
fd12962a25adc412084d7041db1ef426293df4a73f2c55c23d7e37b021bb90e2
0a8c82fd949fed5b52e3853e9e9cf876d8b7f3cdc929c3034c97928b2ed20411
8c909b0ad24c6d1269d6c013c9b6d110cb28d73f1851006ba5c04441b234c985
0ad6215d8e2b8cf7d275fe373cf57b29d1c43ad59e6cb84accb8d8c39f97dc9d
2fb55700d343afcad180486bedddb4ce8a632d11cbbde696d8db7a165543ae90
e1f1f72698aa8762305e8d324a04608fda13f7a416f2a5a7fcbad843cff138cc
bc8fbe774619302d5cab92c30eb284cad65d02a16732c2b963d34c39d23f60ff
fcd3a8cf2b997c4e33e6d6efe698051d9d084483ef1c28d5f3a5b8f786034411
98bfd496fb7ac51b9c39229fd50656da7960009ddaaef4bd9bb179dadcfc174c
4411b4ddf8f33538d0cdf80d134cc7553aa23a1bdf71b31b8c45773fdfa92cc2
Domains
valvesco.duckdns.org
WindowsAuthentication324-49629.portmap.host
www.ogbujpmoxi.cf
frederikkempe.com
majul.com
willia2.ddns.net
92ea-81-16-141-214.ngrok.io
3a16-35-239-30-233.ngrok.io
e693-192-154-196-22.ngrok.io
8310-2a00-23c7-9b88-101-d415-cb84-4bd-10ab.ngrok.io
31de-92-46-109-42.ngrok.io
8.tpc.ngrok.io
23c1-128-199-237-110.ngrok.io
c71f-35-239-30-233.ngrok.io
dcce-35-239-30-233.ngrok.io
8034-35-239-30-233.ngrok.io
47cb-35-239-30-233.ngrok.io
c16d-35-240-187-111.ngrok.io
5377-2-97-222-100.ngrok.io
93e8-72-138-28-122.ngrok.io

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
DarkComet screenshot
DarkComet
darkcomet rat darkcomet rat
DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.
Read More