What is Ave Maria malware?
Ave Maria is a remote access Trojan, infostealer, and keylogger. It is malware that attackers can use to gain remote control of machines that it infects. When researchers first discovered this Trojan, it was thought to be rather simplistic. However, later samples surprise with advanced functions.
The malware is available in the form of a one or three months subscription and can be freely purchased from the attackers, which is typical for this type of virus. Users can also purchase a dynamic DNS server from the same distributor to complete the package.
General description of Ave Maria malware
Ave Maria is a modular RAT with an advanced design. When it was first discovered, researchers believed that the malware is fairly simple and won't follow Ryuk ransomware's story. After the later analysis, it was revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control.
According to the analysis, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox is not safe despite the utilized PK11 encryption.
However, some parts of the malware appear to be unfinished. And it looks like the authors are still working on expanding its functionality even further. Considering how effective this RAT already is, this idea is nothing but worrying.
Ave Maria Trojan uses a DLL hijacking exploit that, at this point, doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.
Once the malware achieves this initial target, it downloads additional plugins and even other viruses like Lokibot to the machine.
Interactive analysis of Ave Maria malware
A video recorded in the ANY.RUN malware hunting service displays the execution process of Ave Maria. Users can utilize this information to perform a deep analysis of how this malware functions under the hood.
Figure 1: Shows the graph of processes generated by the ANY.RUN malware hunting service.
Figure 2: ANY.RUN allows creating customizable text reports that contain detailed and nicely structured information. This function is perfect for making presentations.
Ave Maria malware execution process
Based on the analysis, the Ave Maria RAT execution process can vary a little differently from one version to another. Since the main vector of this malware’s distribution is malicious spam email campaigns, it usually exploits CVE-2017-11882 (Microsoft Equation Editor) vulnerability but can infect a system in several other ways.
In the analyzed sample, Maldoc gets downloaded and executed through macro. Then, the malware copies and runs itself from the %temp% directory. Ave Maria Trojan changes the autorun value in the registry and creates a scheduled task to establish persistence. The malware uses pkgmgr.exe to load a malicious DLL (dismcore.dll) that starts a malware instance with higher privileges for privilege escalation. Also, the virus often injects into the explorer.exe process.
After all these steps, Ave Maria RAT starts its malicious activity such as keylogger function and saves all keystrokes and other user activity into a file, establishes a connection with the C2 server, steals more data from the system, and so on.
Distribution of Ave Maria malware
Like Revenge, Glupteba and many other RATs and ransomware, Ave Maria is distributed in email spam campaigns that deliver a malicious attachment. However, attackers often use phishing techniques to tailor the emails to suit each targeted segment of potential victims more closely than in typical email spam.
The danger of the Ave Maria RAT distribution method, along with tailored campaigns, lies in the lack of macros use or the need for user interaction after a malicious document is downloaded by the victim. The infection often begins due to the use of a Microsoft Equation Editor exploit utilized by an embedded object contained in the downloaded document.
How to detect Ave Maria malware using ANY.RUN?
Unlike ransomware, Ave Maria malware performs information stealing offline which causes it to save data locally on an infected system. To get the analysis of what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering." These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file, click on a file’s name and start the analysis.
Figure 3: Information is stolen by Ave Maria
Summary
Ave Maria malware should be considered a serious cybersecurity threat as RATs or ransomware. It utilizes a vulnerability that may remain unfixed for the foreseeable future.
Additionally, the joint effect from highly targeted phishing emails and lack of need for the user interaction to begin execution make the chance of contamination with this malware larger than average. We should also add that the latest samples of the malware showed a lot of advancements compared to the first reportings. It is safe to assume that Ave Maria will be upgraded down the line.
This threat is fairly new, and right now, there is limited information about Ave Maria RAT. All the more reason to utilize advanced functions provided by the ANY.RUN malware hunting service for analysis and dissect the available samples. Unfortunately, we must admit that it is likely that we will hear about this malware again, and the more prepared we are then, the better.
