Ave Maria

Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.

Type
Stealer
Origin
Unknown
First seen
4 December, 2018
Last seen
1 August, 2021
Also known as
AVE_MARIA
Warzone RAT
Global rank
23
Week rank
12
Month rank
16
IOCs
4436

What is Ave Maria malware?

Ave Maria is a remote access Trojan, infostealer, and keylogger. It is malware that attackers can use to gain remote control of machines that it infects. When researchers first discovered this Trojan, it was thought to be rather simplistic. However, later samples surprise with advanced functions.

The malware is available in the form of a one or three months subscription and can be freely purchased from the attackers, which is typical for this type of virus. Users can also purchase a dynamic DNS server from the same distributor to complete the package.

General description of Ave Maria malware

Ave Maria is a modular RAT with an advanced design. When it was first discovered, researchers believed that the malware is fairly simple. It was later revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control.

Furthermore, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox is not safe despite the utilized PK11 encryption.

However, some parts of the malware appear to be unfinished. And it looks like the authors are still working on expanding its functionality even further. Considering how effective this RAT already is, this idea is nothing but worrying.

Ave Maria Trojan uses a DLL hijacking exploit that, at this point, doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.

Once the malware achieves this initial target, it downloads additional plugins and even other viruses like Lokibot to the machine.

Interactive analysis of Ave Maria malware

A video recorded in the ANY.RUN malware hunting service displays the execution process of Ave Maria. Users can utilize this information to take a deep dive into how this malware functions under the hood.

ave maria execution process graph

Figure 1: Shows the graph of processes generated by the ANY.RUN malware hunting service.

text report of the ave maria analysis

Figure 2: ANY.RUN allows creating customizable text reports that contain detailed and nicely structured information. This function is perfect for making presentations.

Ave Maria malware execution process

Ave Maria RAT execution process can vary a little differently from one version to another. Since the main vector of this malware’s distribution is malicious spam email campaigns, it usually exploits CVE-2017-11882 (Microsoft Equation Editor) vulnerability but can infect a system in several other ways.

In the analyzed sample, Maldoc gets downloaded and executed through macro. Then, the malware copies and runs itself from %temp% directory. Ave Maria Trojan changes the autorun value in the registry and creates a scheduled task to establish persistence. The malware uses pkgmgr.exe to load a malicious DLL (dismcore.dll) that starts a malware instance with higher privileges for privilege escalation. Also, the virus often injects into the explorer.exe process.

After all these steps, Ave Maria RAT starts its malicious activity such as keylogger function and saves all keystrokes and other user activity into a file, establishes a connection with the C2 server, steals more data from the system, and so on.

Distribution of Ave Maria malware

Like many other RATs, Ave Maria is distributed in email spam campaigns that deliver a malicious attachment. However, attackers often use phishing techniques to tailor the emails to suit each targeted segment of potential victims more closely than in typical email spam.

The danger of the Ave Maria RAT distribution method, along with tailored campaigns, lies in the lack of macros use or the need for user interaction after a malicious document is downloaded by the victim. The infection often begins due to the use of a Microsoft Equation Editor exploit utilized by an embedded object contained in the downloaded document.

How to detect Ave Maria malware using ANY.RUN?

Ave Maria malware performs information stealing offline which causes it to save data locally on an infected system. To find out what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering." These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file, click on a file’s name.

information stolen by ave maria Figure 3: Information is stolen by Ave Maria

Summary

Ave Maria malware should be considered a serious cybersecurity threat. It utilizes a vulnerability that may remain unfixed for the foreseeable future.

Additionally, the joint effect from highly targeted phishing emails and lack of need for the user interaction to begin execution make the chance of contamination with this malware larger than average. We should also add that the latest samples of the malware showed a lot of advancements compared to the first reportings. It is safe to assume that Ave Maria will be upgraded down the line.

This threat is fairly new, and right now, there is limited information about Ave Maria RAT. All the more reason to utilize advanced functions provided by the ANY.RUN malware hunting service and dissect the available samples. Unfortunately, we must admit that it is likely that we will hear about this malware again, and the more prepared we are then, the better.

IOCs

IP addresses
193.161.193.99
79.134.225.44
3.138.45.170
3.128.107.74
3.132.159.158
3.13.191.225
3.131.147.49
3.19.130.43
203.159.80.165
217.146.88.139
185.140.53.157
3.138.180.119
3.22.15.135
3.133.207.110
185.222.57.226
203.159.80.107
79.134.225.95
178.170.138.163
64.188.13.46
3.22.30.40
Hashes
36c35b4364b62c4d1ff2be1e1a043a10bc587625ad383dd2b4dacde157a952e4
94fd8c7b7935c64a7ed46794b3b5597800ae02715d5d0d95df19b208dc0d98fb
a0a383d7599b7c847b366b4b35114f24205e3e9f624311c7931eea0d2218618c
fdcb93d14d249d6970c9f7374eb95190af62db72b5555c48d23a3af20902b682
29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a
d001a4f1099b5dbff889d96e6bbed73b9908804699c120ee5c14db5d2314fb2c
0df12b0f704dbd5709f86804db5863bd0e6d6668d45a8ff568eefbaa2ebfb9fd
fb55340ef36d5bfae56dd84e51b9aff7996ab7428fd1fcbe53dfb8fdcda244e8
c81b61feb2eb2f7c4c09e36ce0ab4c2697fb1c5034bb400a4c0e27af2a615fd1
d5cf58f16865dd8a936926dadf430ea16d1e12e9abe4ff17dd924add9ef10953
3177069234115aa28299e1afde950a6c33b82be8216631eb7536096d41d4de4c
8c78a794cf30c408560c57d95ce921a6c4833f7f497ad273f28daa28260b758a
455ac9cc21fcb20a14caa76abd1280131fecae9d216b1f6961af2f13081c2932
304c2f88ccd6b0b00cfcb779b8958d9467c78f32b7177949899d3e818b3b9bed
97867ffef52207ad9226a0aa05d7b01b88a41342770cbf4355f84637a072f167
140e0524f4770fc2543b86f1d62aaa6b3018c54e40250040feaa2f24bdbe974d
aa2b8412cf562c334052d5c34a2e5567090e064b570884d6f4d3e28806822487
8245da6ea7589c11b38f1204ebda458b95141db0a5048a8ce0a4b93a562284e8
71213fcacf32e5693b18d4cfcadc7ba7a03da3c84c614308037049796e58c645
e23af5d6048c8e86e22bd7117254d7f17bc97c24fe335ea3c411367bdd9953de
Domains
elx01.knas.systems
h0pe1759.ddns.net
isns.net
4.tcp.ngrok.io
booking.msg.bluhotels.com
booking.msg.bluhotels.com
majul.com
dfsewrd.duckdns.org
facexteste.hopto.org
2.tcp.ngrok.io
6.tcp.ngrok.io
641d8b63f3af.ngrok.io
cf8b04045d7a.ngrok.io
3a47ff971faf.ngrok.io
30fdb4c296af.ngrok.io
192913f09fa8.ngrok.io
bd66a884925b.ngrok.io
93d8e01c2593.ngrok.io
52e0ff58833f.ngrok.io
ce47174fc1d2.ngrok.io

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dharma screenshot
Dharma
dharma ransomware
Dharma is an advanced Ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information.
Read More