Ave_Maria Malware: there's more than meets the eye

Introduction

AVE_MARIA, a malware used in phishing campaigns and so far identified only as an info-stealer, appears to be more complex and insidious, offering a wide range of capabilities, from privilege escalation to camera exfiltration, RDP connections, email extraction and more. For the past few months we have been monitoring various phishing campaign delivering AVE_MARIA and we are now able to prove that AVE_MARIA is in fact a complete and multi-purpose malware.

This article is the first of a series of 2 in which we will analyse the capabilities of AVE_MARIA… and more.

AVE_MARIA Initial Vector

For his analysis we will take as an example the document with the following SHA-256: baaa65730d47c21a56bfcdfaced6b888b9590a96e1fd19df9c18115c0b8d1747 (you can check the behavior from ReaQta-Hive on VirusTotal, click on “Detailed Report“).
The document doesn’t contain any malicious macro nor any particular luring content that asks the user to click in order to access the content. In fact the document contains an embedded object that uses the Microsoft Equation Editor exploit, to start the infection.

Infection

AVE_MARIA infection chain is convoluted and it can be summarised as follows:

• The malicious RTF exploits CVE-2017-11882
• eqnedt32.exe (Microsoft Equation Editor) downloads and executes the AVE_MARIA malware
• AVE_MARIA starts another instance of itself then it downloads a second malware: Lokibot
• AVE_MARIA performs persistence using the registry
• It runs a UAC bypass to escalate its privileges
• It modifies Windows Defender settings by excluding a directory from scanning
• It enables inbound RDP connections

AVE_MARIA First stage

The storyline reconstructed via ReaQta-Hive shows that after a successful exploitation the eqnedt32.exe (Microsoft Equation Editor) process downloads (#1) and executes (#2) the dropped AVE_MARIA malware.
In an attempt to hide its presence, the main process disguises its name by mispelling that of a common Windows process, in this case: scvhost.exe (original: svchost.exe).

The malware duplicates itself in a new directory (#3), %appdata%, and it establishes persistence in the registry via HKCU\Software\Microsoft\Windows\CurrentVersion\Run (#4).

AVE_MARIA Second stage

The malware uses different threads during the infection process, to simplify the analysis we divide the second stage in 2 different parts.

Part 1 – The Lokibot case

In this first part we see the main AVE_MARIA malicious process (pid 1072) downloading another executable (analysis box #1 and #2) from:

h**p://secured.icbegypt.com/ssl.exe

and executing it (#4).

The combination of AVE_MARIA and Lokibot led us to keep analysing this malware to obtain further information.

Part 2 – Privilege Escalation and RDP

Now for the second part: the malicious process spawns cmd.exe, that is used to finalize the privilege escalation.

In this case the privilege escalation leverages on pkgmgr.exe (#2) to load a malicious dll, dismcore.dll (#1),  that in turn spawns a HIGH privilege instance of the malware (#3) seen in the picture with pid 4512.

After obtaining the HIGH integrity level, the malware excludes the entire C: drive from Windows Defender by using powershell.exe and the cmdlet Add-MpPreference (#4).

powershell Add-MpPreference -ExclusionPath C:\

Later on the activity continues with the download of another executable (analysis box #5 and #6) that is eventually started (#7):

h**p://5.206.225.104/dll/upnp.exe

This last executable, that we will call upnp.exe, is responsible for 2 tasks:

1. Enabling inbound connection to the RDP port 3389.
2. Bypassing NAT by leveraging on the Simple Service Discovery Protocol in order to create a port forward via UPnP.

The first task is easily completed by running the netsh.exe Windows utility with the following commandline (#8):

netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389

The second task is completed by issuing a UPnP request to the router in order to open a port for communication as it can be seen from the analysis box #9 where an SSDP connection is established towards a machine having address:

192.168.20.16:2869

The port 2869 is used for Service Discovery (SSDP).
From Wikipedia:

The Simple Service Discovery Protocol (SSDP) is a network protocol based on the Internet protocol suite for advertisement and discovery of network services and presence information.

[…] Microsoft uses port number 2869 for event notification and event subscriptions. [..]

This was another good reason to keep looking into AVE_MARIA to better understand the capabilities of this “info-stealer”.

Final Stage

After completing the infection, the malware waits to receive new commands from its C2. While waiting the malware also acts as a keylogger, recording to file – and exfiltrating to the C2 – everything typed by the user.

AVE_MARIA offers a wide range of features:

• Privilege Escalation, support from Windows 7 to Windows 10
• Persistence
• Code Injection
• Offline Keylogger
• Camera Exfiltration
• Processes Management: enumeration, termination
• File Management: creation, download, exfiltration, deletion
• Download and Execution
• RDP using rdpwrap
• Info-stealer support:
  • Google Chrome
  • Firefox
  • Internet Explore
  • Outlook
  • Thunderbird
  • Foxmail
• Cleanup

We will analyse in more detail such capabilities in the next post.

C2

We have identified several domains used by the same vector, in fact different components use different C2 or drop zones to carry out their activities.

The dropped Lokibot sends POST requests to the following C2:

h**p://89.46.222.77/MaX/fre.php

AVE_MARIA downloads several components (used to access passwords and to issue the UPnP request) from the same server, we have noticed a consistent use of the following address in different campaigns:

h**p://5.206.225.104/dll/softokn3.dll
h**p://5.206.225.104/dll/msvcp140.dll
h**p://5.206.225.104/dll/mozglue.dll
h**p://5.206.225.104/dll/vcruntime140.dll
h**p://5.206.225.104/dll/freebl3.dll
h**p://5.206.225.104/dll/nss3.dll

Last but not least, this is the dropurl used in the analyzed sample:

h**p://secured.icbegypt.com

That, at the time of writing this report, resolves to:

89.46.223.202:80

This URL is used by the exploit to download both AVE_MARIA payload and the Lokibot executables.
Curiously, this same domain is also delivering another malware via Word Documents and HTA Files, in this case it appears to be FORMBOOK as confirmed also by an independent researcher on Twitter.

2 different formbook campaigns so far today. Both using same site https://t.co/XMCPldsB2n https://t.co/Hf8Sd90BpE pic.twitter.com/8jRZhqO8Zf

— My Online Security (@dvk01uk) March 29, 2019

In order to achieve communication with the attacker, AVE_MARIA relies on a dynamic DNS service:

h**p://maxibrainz.warzonedns.com:2580

That currently resolves to:

91.192.100.61:2580

We have identified this domain in other campaigns and we will provide more information in the next post.

Conclusions

The analysis presented shows that AVE_MARIA is not just an info-stealer, in fact it comes with different capabilities beyond those of an info-stealer and it also appears to work in conjunction with other threats, such as in this case Lokibot.
In the next post we will provide further details on how AVE_MARIA operates… and more.

Mitre ATT&CK

IOCs