Ave Maria

Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.

Type
Stealer
Origin
Unknown
First seen
4 December, 2018
Last seen
26 January, 2023
Also known as
AVE_MARIA
Warzone RAT
Global rank
23
Week rank
14
Month rank
14
IOCs
7179

What is Ave Maria malware?

Ave Maria is a remote access Trojan, infostealer, and keylogger. It is malware that attackers can use to gain remote control of machines that it infects. When researchers first discovered this Trojan, it was thought to be rather simplistic. However, later samples surprise with advanced functions.

The malware is available in the form of a one or three months subscription and can be freely purchased from the attackers, which is typical for this type of virus. Users can also purchase a dynamic DNS server from the same distributor to complete the package.

General description of Ave Maria malware

Ave Maria is a modular RAT with an advanced design. When it was first discovered, researchers believed that the malware is fairly simple and won't follow Ryuk ransomware's story. After the later analysis, it was revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control.

According to the analysis, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox is not safe despite the utilized PK11 encryption.

However, some parts of the malware appear to be unfinished. And it looks like the authors are still working on expanding its functionality even further. Considering how effective this RAT already is, this idea is nothing but worrying.

Ave Maria Trojan uses a DLL hijacking exploit that, at this point, doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.

Once the malware achieves this initial target, it downloads additional plugins and even other viruses like Lokibot to the machine.

Interactive analysis of Ave Maria malware

A video recorded in the ANY.RUN malware hunting service displays the execution process of Ave Maria. Users can utilize this information to perform a deep analysis of how this malware functions under the hood.

ave maria execution process graph

Figure 1: Shows the graph of processes generated by the ANY.RUN malware hunting service.

text report of the ave maria analysis

Figure 2: ANY.RUN allows creating customizable text reports that contain detailed and nicely structured information. This function is perfect for making presentations.

Ave Maria malware execution process

Based on the analysis, the Ave Maria RAT execution process can vary a little differently from one version to another. Since the main vector of this malware’s distribution is malicious spam email campaigns, it usually exploits CVE-2017-11882 (Microsoft Equation Editor) vulnerability but can infect a system in several other ways.

In the analyzed sample, Maldoc gets downloaded and executed through macro. Then, the malware copies and runs itself from the %temp% directory. Ave Maria Trojan changes the autorun value in the registry and creates a scheduled task to establish persistence. The malware uses pkgmgr.exe to load a malicious DLL (dismcore.dll) that starts a malware instance with higher privileges for privilege escalation. Also, the virus often injects into the explorer.exe process.

After all these steps, Ave Maria RAT starts its malicious activity such as keylogger function and saves all keystrokes and other user activity into a file, establishes a connection with the C2 server, steals more data from the system, and so on.

Distribution of Ave Maria malware

Like Revenge, Glupteba and many other RATs and ransomware, Ave Maria is distributed in email spam campaigns that deliver a malicious attachment. However, attackers often use phishing techniques to tailor the emails to suit each targeted segment of potential victims more closely than in typical email spam.

The danger of the Ave Maria RAT distribution method, along with tailored campaigns, lies in the lack of macros use or the need for user interaction after a malicious document is downloaded by the victim. The infection often begins due to the use of a Microsoft Equation Editor exploit utilized by an embedded object contained in the downloaded document.

How to detect Ave Maria malware using ANY.RUN?

Unlike ransomware, Ave Maria malware performs information stealing offline which causes it to save data locally on an infected system. To get the analysis of what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering." These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file, click on a file’s name and start the analysis.

information stolen by ave maria Figure 3: Information is stolen by Ave Maria

Summary

Ave Maria malware should be considered a serious cybersecurity threat as RATs or ransomware. It utilizes a vulnerability that may remain unfixed for the foreseeable future.

Additionally, the joint effect from highly targeted phishing emails and lack of need for the user interaction to begin execution make the chance of contamination with this malware larger than average. We should also add that the latest samples of the malware showed a lot of advancements compared to the first reportings. It is safe to assume that Ave Maria will be upgraded down the line.

This threat is fairly new, and right now, there is limited information about Ave Maria RAT. All the more reason to utilize advanced functions provided by the ANY.RUN malware hunting service for analysis and dissect the available samples. Unfortunately, we must admit that it is likely that we will hear about this malware again, and the more prepared we are then, the better.

IOCs

IP addresses
107.150.19.18
79.134.225.95
194.147.140.163
20.168.33.220
213.152.161.15
194.5.98.48
51.77.67.168
185.222.57.164
109.206.241.77
51.195.145.82
37.120.206.69
157.245.246.87
172.111.9.225
194.5.97.4
79.134.225.94
149.167.94.36
194.5.98.249
195.206.105.227
87.66.106.20
79.134.225.25
Hashes
1bfcb28c8016d0274e0129da98496dbe3af4bb44d97a5c3fd7f4b0ab6b99c413
33b1fec8b20ebd775dbe037a652b5002124a317b434208c400d5cf933b0e68ef
d50f9c9e6b009994b02831852e8f689eb7c4ffb964cf083b4023e8a7c354509e
957354af4cd0c5869354b87ed9df4166ef66b804e52e2cdffcba8920ada612ea
9a38991461288014473dd1d6de00238a69d14ff36bc5a555ac4d88479da1e0af
753b4184327ca7282384b2ceefceea235ad37f7bf74666bf34ae2ced64c95fe0
135ffbb4dc1ea1e6115475629f12530c5e3191b5b42b78e4f6c3b1022508ed82
8f3e609007588fd586e007b24b61283ddb87946651ed2e51f3234dd4abbad321
afa8bd0bc3c632a5d306dfc72845872f1e204ab845e3aec6d0cccb5b42226294
53713a382ac6b8e08023ea10863651eeae777180c52dcd058df59a3f81b76105
4106bc925a8d9a87eb8cb905de3fd10e7b7d0851aa82c3a26de23c552775812d
0a6144cad9483d578d642ed6366afc36291562deb6fa9d4284ffee1d7e98c417
9ff2439dd5f32e84e058c6ffe6864efefee16651600726b85a4cac2d2c0e4cdf
be660d63fdf3657cc219d02b22e914ea5b8856c9df581d96ade00ae2495323cd
2ec2fa01b59783d8164eda64e6268889345a21f075b302ec40bd5f181a93b178
b3c12de2acc27fea76b3d02d42dfd871a34973e8f4a975378fbda3c8bfccdbcb
c7d593c50d9ca3145e8dec4de3a50cd337af0cf6636f65c52832979115f8c261
4ac15017abd3f969b2d4ef1496c36e55140d01083cac6faa43b6d5df64f014c5
21d7fa3dd28eb5d3eb3facd4673eb75021ae4853fbdd5e9c95cf0ceef193f27b
1bc4e14b381c9ad05e60f21b2674e85355f5672da91e19a3a2ccfceff7e76765
Domains
vcctggqm3t.dattolocal.net
booking.msg.bluhotels.com
booking.msg.bluhotels.com
searchkn1.sima-land.ru
c16d-35-240-187-111.ngrok.io
isns.net
kaymt.ddns.net
bushremcos.duckdns.org
todspm3.duckdns.org
otravez.duckdns.org
ebubelag.warzonedns.com
microsoftoutlook.duckdns.org
frederikkempe.com
majul.com
4.tcp.eu.ngrok.io
www.ogbujpmoxi.cf
WindowsAuthentication324-49629.portmap.host
thuocnam.tk
7.tcp.eu.ngrok.io
krupskaya.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy