Ave Maria

Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server

  • Type
    Stealer
  • Origin
    Unknown
  • First seen
    4 December, 2018
  • Last seen
    13 December, 2019
Also known as
AVE_MARIA
Warzone RAT
Global rank
27
Week rank
17
Month rank
20
IOCs
517

What is Ave Maria malware?

Ave Maria is a remote access Trojan, infostealer and keylogger. It is a malware that attackers can use to gain remote control of machines that it infects. When researchers first discovered this Trojan it was thought to be rather simplistic. However, later samples surprise with advanced functions.

The malware is available in the form of a one or three months subscription and can be freely purchased from the attackers, which is typical for this type of virus. Users can also purchase a dynamic DNS server from the same distributor to complete the package.

General description of Ave Maria malware

Ave Maria is a modular RAT with an advanced design. Though when it was first discovered researchers believed that the malware is fairly simple, it was later revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control.

Furthermore, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox are not safe despite the utilized PK11 encryption.

However, some parts of the malware appear to be unfinished which may suggest that the authors are still working on expanding its functionality even further. Considering how effective this RAT already is this idea is nothing but worrying.

Ave Maria Trojan uses a DLL hijacking exploit that at this point doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.

Once the malware achieves this initial target it downloads additional plugins and even other viruses like Lokibot to the machine.

Interactive analysis of Ave Maria malware

A video recorded in the ANY.RUN malware hunting service displays the execution process of Ave Maria. Users can utilize this information to take a deep dive into how this malware functions under the hood.

ave maria execution process graph

Figure 1: Shows the graph of processes generated by the ANY.RUN malware hunting service.

text report of the ave maria analysis

Figure 2: ANY.RUN allows creating customizable text reports that contain detailed and nicely structured information. This functions is perfect for making presentations.

Ave Maria malware execution process

Ave Maria RAT execution process can vary a little different from one version to another. Since the main vector of this malware’s distribution is malicious spam email campaigns, it usually exploits CVE-2017-11882 (Microsoft Equation Editor) vulnerability but can infect a system in several other ways.

In the analysed sample, Maldoc gets downloaded and executed through macro. Then, the malware copies and runs itself from %temp% directory. To establish persistence, Ave Maria Trojan changes the autorun value in the registry and creates a scheduled task. For privilege escalation, the malware uses pkgmgr.exe to load a malicious DLL (dismcore.dll) that starts a malware instance with higher privileges. Also, the virus often injects into the explorer.exe process.

After all these steps, Ave Maria RAT starts its malicious activity such as keylogger function and saves all keystrokes and other user activity into a file, establishes a connection with the C2 server, steals more data from the system and so on.

Distribution of Ave Maria malware

Ave Maria like many other RATs is distributed in email spam campaigns that deliver a malicious attachment. However, attackers often use phishing techniques which means that they tailor the emails to suit each targeted segment of potential victims more closely than in typical email spam.

The danger of Ave Maria RAT distribution method along with tailored campings lies in the lack of macros use or the need for user interaction after a malicious document is downloaded by the victim. The infection often begins due to the use of a Microsoft Equation Editor exploit that is utilized by an embedded object which is contained in the downloaded document.

How to detect Ave Maria malware using ANY.RUN?

Ave Maria malware performs information stealing offline which causes it to save data locally on an infected system. To find out what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering". These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file just click on a file’s name.

information stolen by ave maria Figure 3: Information stolen by Ave Maria

Summary

Ave Maria malware should be considered a serious threat to cybersecurity. It utilizes a vulnerability that may remain unfixed for the foreseeable future.

Additionally, the joint effect from highly targeted phishing emails and lack of need for the user interaction to begin execution make the chance of contamination with this malware larger than average. We should also add the fact that the latest samples of the malware showed a lot of advancements compared to the first reportings. It is safe to assume that Ave Maria will be upgraded down the line.

This threat is fairly new and right now there is limited information about Ave Maria RAT. All the more reason to utilize advanced functions provided by the ANY.RUN malware hunting service and dissect the available samples. Unfortunately, we must admit that it is likely that we will hear about this malware again and the more prepared we are then, the better.

IOCs

IP addresses
79.134.225.71
79.134.225.39
95.213.195.71
79.134.225.75
79.134.225.105
91.193.75.100
185.19.85.155
79.134.225.115
216.38.2.195
79.134.225.95
79.134.225.70
79.134.225.93
185.165.153.39
79.134.225.85
146.185.195.28
141.255.164.13
79.134.225.101
79.134.225.103
79.134.225.119
213.152.161.5
Hashes
931e8d216cf290fcce4847eb598cecb651227acf684d9813bc81c4cf61891667
8ee684ab49170f2ab612ebb7616da6c99673fc2eee23e03c5258eb07004c8cc9
1da487e403ca0fb7cab0cb5b9d0d44f5ea3ef71c9ecfda42d15719e83d8b1c06
2acc5d1d4f7f0fdc277f0daab64cd32204efc4eae04a1ca8335c43ad7720c2e4
2f679ac9de56913efe308946bff479e4ee0ce38c5f2ad92d12e230a0a71ed619
b30b17b6a7cee6671e2f1d6784c3af04a793885d7ba91aa907ed62f33f411020
e78e25771a0e710d9cc8b0ef306197aa8bc061d1a1d0282e19a6f3597c7a4e14
683d3938897cab50b18548319ce08a218c0326cb67201352a74a0878b59f39eb
fcf254d7000f95d7dc01eae6fa67816f040211f5b22e9575162b02314272ef03
a24c6bb23ec62350d40ed8e595e5339bf12d669c9108c82c2fe3580f801927b6
e87773b992b99b6efd4c74e564d08eb67d315cc59d23a8c9b69abb33ea950dd4
28244f0a8435763cdfd6e2622f516d59f7002041706dd0425026ccb7a08dfbcf
f8a43d2ec2692d54c75bed8a5ddfcd2e3c0b8414e2d5f2b9e89948e0354957b7
43b0878b04345e3ff984bb5f5597df474d7c3de1f127f4b2f445efaba9c0bc90
cc057b80ee33857410431398adc3ec2f7777e13691c079826caad553e670790c
4ed930791f496ac434bb4c37fac302796465a6fd3133e5b9c7cb424b41abb60a
39f061f1997f8c21ddfcde63f044b7e7610bb812f01b0b7cb43a554ecb5969e7
28d33675f3556a1b5765d539f68e370d117f5f694a7ac11ea448075f98ed2573
c2efca69216902a9adf088205532b94a06375801417d5065fa19bbd7e361b13a
6981c90f1f4fc44ac4246a588cd30c872ddcbe75d76ad46e9f6d51d5f84ce6cf
Domains
isns.net
majul.com
qxq.ddns.net
sandra.myddns.me
888rats.duckdns.org
mike567.ddns.net
cjax.ddns.net
warzones.duckdns.org
jackspro.warzonedns.com
oge.mywire.org
ayaka.ddnsfree.com
mercy2019.ddns.net
stbbfcal.duckdns.org
mnx.duckdns.org
sandshoe.duckdns.org
olavroy.duckdns.org
chance2019.ddns.net
onelove03.duckdns.org
manblues.sytes.net
hustle4eva2.3utilities.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is one of the most dangerous banking Trojans to have been created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.
Read More