Ave_Maria Malware: there's more than meets the eye
AVE_MARIA, a malware used in phishing campaigns and so far identified only as an info-stealer, appears to be more complex and insidious, offering a wide range of capabilities, from privilege escalation to camera exfiltration, RDP connections, email extraction and more. For the past few months we have been monitoring various phishing campaign delivering AVE_MARIA and we are now able to prove that AVE_MARIA is in fact a complete and multi-purpose malware.
This article is the first of a series of 2 in which we will analyse the capabilities of AVE_MARIA… and more.
AVE_MARIA Initial Vector
For his analysis we will take as an example the document with the following SHA-256: baaa65730d47c21a56bfcdfaced6b888b9590a96e1fd19df9c18115c0b8d1747 (you can check the behavior from ReaQta-Hive on VirusTotal, click on “Detailed Report“).
The document doesn’t contain any malicious macro nor any particular luring content that asks the user to click in order to access the content. In fact the document contains an embedded object that uses the Microsoft Equation Editor exploit, to start the infection.
AVE_MARIA infection chain is convoluted and it can be summarised as follows:
- The malicious RTF exploits CVE-2017-11882
- eqnedt32.exe (Microsoft Equation Editor) downloads and executes the AVE_MARIA malware
- AVE_MARIA starts another instance of itself then it downloads a second malware: Lokibot
- AVE_MARIA performs persistence using the registry
- It runs a UAC bypass to escalate its privileges
- It modifies Windows Defender settings by excluding a directory from scanning
- It enables inbound RDP connections
AVE_MARIA First stage
The storyline reconstructed via ReaQta-Hive shows that after a successful exploitation the eqnedt32.exe (Microsoft Equation Editor) process downloads (#1) and executes (#2) the dropped AVE_MARIA malware.
In an attempt to hide its presence, the main process disguises its name by mispelling that of a common Windows process, in this case: scvhost.exe (original: svchost.exe).
The malware duplicates itself in a new directory (#3), %appdata%, and it establishes persistence in the registry via HKCU\Software\Microsoft\Windows\CurrentVersion\Run (#4).
AVE_MARIA Second stage
The malware uses different threads during the infection process, to simplify the analysis we divide the second stage in 2 different parts.
Part 1 – The Lokibot case
In this first part we see the main AVE_MARIA malicious process (pid 1072) downloading another executable (analysis box #1 and #2) from:
and executing it (#4).
The combination of AVE_MARIA and Lokibot led us to keep analysing this malware to obtain further information.
Part 2 – Privilege Escalation and RDP
Now for the second part: the malicious process spawns cmd.exe, that is used to finalize the privilege escalation.
In this case the privilege escalation leverages on pkgmgr.exe (#2) to load a malicious dll, dismcore.dll (#1), that in turn spawns a HIGH privilege instance of the malware (#3) seen in the picture with pid 4512.
After obtaining the HIGH integrity level, the malware excludes the entire C: drive from Windows Defender by using powershell.exe and the cmdlet Add-MpPreference (#4).
powershell Add-MpPreference -ExclusionPath C:\
Later on the activity continues with the download of another executable (analysis box #5 and #6) that is eventually started (#7):
This last executable, that we will call upnp.exe, is responsible for 2 tasks:
- Enabling inbound connection to the RDP port 3389.
- Bypassing NAT by leveraging on the Simple Service Discovery Protocol in order to create a port forward via UPnP.
The first task is easily completed by running the netsh.exe Windows utility with the following commandline (#8):
netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
The second task is completed by issuing a UPnP request to the router in order to open a port for communication as it can be seen from the analysis box #9 where an SSDP connection is established towards a machine having address:
The port 2869 is used for Service Discovery (SSDP).
The Simple Service Discovery Protocol (SSDP) is a network protocol based on the Internet protocol suite for advertisement and discovery of network services and presence information.[…] Microsoft uses port number 2869 for event notification and event subscriptions. [..]
This was another good reason to keep looking into AVE_MARIA to better understand the capabilities of this “info-stealer”.
After completing the infection, the malware waits to receive new commands from its C2. While waiting the malware also acts as a keylogger, recording to file – and exfiltrating to the C2 – everything typed by the user.
AVE_MARIA offers a wide range of features:
- Privilege Escalation, support from Windows 7 to Windows 10
- Code Injection
- Offline Keylogger
- Camera Exfiltration
- Processes Management: enumeration, termination
- File Management: creation, download, exfiltration, deletion
- Download and Execution
- RDP using rdpwrap
- Info-stealer support:
- Google Chrome
- Internet Explore
We will analyse in more detail such capabilities in the next post.
We have identified several domains used by the same vector, in fact different components use different C2 or drop zones to carry out their activities.
The dropped Lokibot sends POST requests to the following C2:
AVE_MARIA downloads several components (used to access passwords and to issue the UPnP request) from the same server, we have noticed a consistent use of the following address in different campaigns:
h**p://126.96.36.199/dll/softokn3.dll h**p://188.8.131.52/dll/msvcp140.dll h**p://184.108.40.206/dll/mozglue.dll h**p://220.127.116.11/dll/vcruntime140.dll h**p://18.104.22.168/dll/freebl3.dll h**p://22.214.171.124/dll/nss3.dll
Last but not least, this is the dropurl used in the analyzed sample:
That, at the time of writing this report, resolves to:
This URL is used by the exploit to download both AVE_MARIA payload and the Lokibot executables.
Curiously, this same domain is also delivering another malware via Word Documents and HTA Files, in this case it appears to be FORMBOOK as confirmed also by an independent researcher on Twitter.
— My Online Security (@dvk01uk) March 29, 2019
In order to achieve communication with the attacker, AVE_MARIA relies on a dynamic DNS service:
That currently resolves to:
We have identified this domain in other campaigns and we will provide more information in the next post.
The analysis presented shows that AVE_MARIA is not just an info-stealer, in fact it comes with different capabilities beyond those of an info-stealer and it also appears to work in conjunction with other threats, such as in this case Lokibot.
In the next post we will provide further details on how AVE_MARIA operates… and more.
|T1105||Remote File Copy||Command And Control, Lateral Movement|
|T1043||Commonly Used Port||Command And Control|
|T1060||Registry Run Keys||Persistence|
|T1065||Uncommonly Used Port||Command And Control|
|T1088||Bypass User Access Control||Defense Evasion, Privilege Escalation|
|T1106||Execution through API||Execution|
|T1055||Process Injection||Defense Evasion, Privilege Escalation|
|T1089||Disabling Security Tools||Defense Evasion|
|T1076||Remote Desktop Protocol||Lateral Movement|
|fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c||Privesc Dll dismcore.dll|
|0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9||upnp.exe (RDP) executable|
|47745440509f8a374c7ce8c0c8b85213b1a40e2b86dc2cd77cb254426e1e2c7c||hta file (Formbook)|
|maxibrainz.warzonedns.com:2580||AVE_MARIA C2 domain|
|126.96.36.199:2580||AVE_MARIA C2 ip|
|188.8.131.52||AVE_MARIA components drop ip|