# Ave_Maria Malware: there's more than meets the eye **reaqta.com/2019/04/ave_maria-malware-part1/** ## Introduction AVE_MARIA, a malware used in phishing campaigns and so far identified only as an infostealer, appears to be more complex and insidious, offering a wide range of capabilities, from privilege escalation to camera exfiltration, RDP connections, email extraction and more. For the past few months we have been monitoring various phishing campaign delivering AVE_MARIA and we are now able to prove that AVE_MARIA is in fact a complete and multipurpose malware. This article is the first of a series of 2 in which we will analyse the capabilities of AVE_MARIA… and more. ## AVE_MARIA Initial Vector For his analysis we will take as an example the document with the following SHA-256: _baaa65730d47c21a56bfcdfaced6b888b9590a96e1fd19df9c18115c0b8d1747 (you can check_ the behavior from ReaQta-Hive on [VirusTotal, click on “Detailed Report“).](https://www.virustotal.com/#/file/baaa65730d47c21a56bfcdfaced6b888b9590a96e1fd19df9c18115c0b8d1747/behavior) The document doesn’t contain any malicious macro nor any particular luring content that asks the user to click in order to access the content. In fact the document contains an embedded [object that uses the Microsoft Equation Editor exploit, to start the infection.](https://upstream.rqt.io/2018/03/spear-phishing-campaign-leveraging-msxsl/) ----- Spear-phishing document using CVE-2017-11882 ## Infection ----- Ave Maria Infection Pipeline AVE_MARIA infection chain is convoluted and it can be summarised as follows: The malicious RTF exploits CVE-2017-11882 _eqnedt32.exe (Microsoft Equation Editor) downloads and executes the AVE_MARIA_ malware **AVE_MARIA starts another instance of itself then it downloads a second malware:** **Lokibot** AVE_MARIA performs persistence using the registry It runs a UAC bypass to escalate its privileges It modifies Windows Defender settings by excluding a directory from scanning It enables inbound RDP connections ----- complete behavioural tree ### AVE_MARIA First stage [The storyline reconstructed via ReaQta-Hive shows that after a successful exploitation the](https://upstream.rqt.io/hive/) _eqnedt32.exe (Microsoft Equation Editor) process downloads (#1) and executes (#2) the_ dropped AVE_MARIA malware. In an attempt to hide its presence, the main process disguises its name by mispelling that of a common Windows process, in this case: scvhost.exe (original: svchost.exe). ----- First stage The malware duplicates itself in a new directory (#3), %appdata%, and it establishes persistence in the registry via HKCU\Software\Microsoft\Windows\CurrentVersion\Run (#4). ### AVE_MARIA Second stage The malware uses different threads during the infection process, to simplify the analysis we divide the second stage in 2 different parts. **Part 1 – The Lokibot case** In this first part we see the main AVE_MARIA malicious process (pid 1072) downloading another executable (analysis box #1 and #2) from: ``` h**p://secured.icbegypt.com/ssl.exe ``` and executing it (#4). ----- second stage – part 1 The combination of AVE_MARIA and [Lokibot led us to keep analysing this malware to obtain](https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850) further information. **Part 2 – Privilege Escalation and RDP** Now for the second part: the malicious process spawns cmd.exe, that is used to finalize the privilege escalation. ----- second stage – part 2 In this case the privilege escalation leverages on pkgmgr.exe (#2) to load a malicious dll, _dismcore.dll (#1), that in turn spawns a HIGH privilege instance of the malware (#3) seen in_ the picture with pid 4512. privilege escalation detail After obtaining the HIGH integrity level, the malware excludes the entire C: drive from Windows Defender by using powershell.exe and the cmdlet Add-MpPreference (#4). ``` powershell Add-MpPreference -ExclusionPath C:\ ``` Later on the activity continues with the download of another executable (analysis box #5 and #6) that is eventually started (#7): ``` h**p://5.206.225.104/dll/upnp.exe ``` This last executable, that we will call upnp.exe, is responsible for 2 tasks: 1. Enabling inbound connection to the RDP port 3389. 2. Bypassing NAT by leveraging on the Simple Service Discovery Protocol in order to create a port forward via UPnP. The first task is easily completed by running the netsh.exe Windows utility with the following commandline (#8): ``` netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389 ``` ----- The second task is completed by issuing a UPnP request to the router in order to open a port for communication as it can be seen from the analysis box #9 where an SSDP connection is established towards a machine having address: ``` 192.168.20.16:2869 ``` The port 2869 is used for Service Discovery(SSDP). From Wikipedia: The Simple Service Discovery Protocol (SSDP) is a [network protocol based on](https://en.wikipedia.org/wiki/Network_protocol) the [Internet protocol suite for advertisement and discovery of network services and](https://en.wikipedia.org/wiki/Internet_protocol_suite) presence information. […] Microsoft uses port number 2869 for event notification and event subscriptions. [..] This was another good reason to keep looking into AVE_MARIA to better understand the capabilities of this “info-stealer”. ## Final Stage After completing the infection, the malware waits to receive new commands from its C2. While waiting the malware also acts as a keylogger, recording to file – and exfiltrating to the C2 – everything typed by the user. keylogger in action ----- Keylogger directory AVE_MARIA offers a wide range of features: **Privilege Escalation, support from Windows 7 to Windows 10** Persistence Code Injection Offline Keylogger Camera Exfiltration Processes Management: enumeration, termination File Management: creation, download, exfiltration, deletion Download and Execution RDP using rdpwrap Info-stealer support: Google Chrome Firefox Internet Explore Outlook Thunderbird Foxmail Cleanup We will analyse in more detail such capabilities in the next post. ----- ## C2 We have identified several domains used by the same vector, in fact different components use different C2 or drop zones to carry out their activities. Ave Maria Servers The dropped Lokibot sends POST requests to the following C2: ``` h**p://89.46.222.77/MaX/fre.php ``` **AVE_MARIA downloads several components (used to access passwords and to issue the** UPnP request) from the same server, we have noticed a consistent use of the following address in different campaigns: ``` h**p://5.206.225.104/dll/softokn3.dll h**p://5.206.225.104/dll/msvcp140.dll h**p://5.206.225.104/dll/mozglue.dll h**p://5.206.225.104/dll/vcruntime140.dll h**p://5.206.225.104/dll/freebl3.dll h**p://5.206.225.104/dll/nss3.dll ``` Last but not least, this is the dropurl used in the analyzed sample: ``` h**p://secured.icbegypt.com ``` That, at the time of writing this report, resolves to: ``` 89.46.223.202:80 ``` This URL is used by the exploit to download both AVE_MARIA payload and the Lokibot executables. Curiously, this same domain is also delivering another malware via Word Documents and HTA Files, in this case it appears to be FORMBOOK as confirmed also by an independent researcher on Twitter. ----- FORMBOOK Storyline 2 different formbook campaigns so far today. Both using same site [https://t.co/XMCPldsB2n](https://t.co/XMCPldsB2n) [https://t.co/Hf8Sd90BpE](https://t.co/Hf8Sd90BpE) [pic.twitter.com/8jRZhqO8Zf](https://t.co/8jRZhqO8Zf) [— My Online Security (@dvk01uk) March 29, 2019](https://twitter.com/dvk01uk/status/1111567009844740097?ref_src=twsrc%5Etfw) In order to achieve communication with the attacker, AVE_MARIA relies on a dynamic DNS service: ``` h**p://maxibrainz.warzonedns.com:2580 ``` That currently resolves to: ``` 91.192.100.61:2580 ``` We have identified this domain in other campaigns and we will provide more information in the next post. ## Conclusions The analysis presented shows that AVE_MARIA is not just an info-stealer, in fact it comes with different capabilities beyond those of an info-stealer and it also appears to work in conjunction with other threats, such as in this case Lokibot. In the next post we will provide further details on how AVE_MARIA operates… and more. ## Mitre ATT&CK **_ID_** **_Tecnique_** **_Tactics_** ----- **T1036** Masquerading Defense Evasion **T1105** Remote File Copy Command And Control, Lateral Movement **T1043** Commonly Used Port Command And Control **T1060** Registry Run Keys Persistence **T1057** Process Discovery Discovery **T1065** Uncommonly Used Port Command And Control **T1088** Bypass User Access Control Defense Evasion, Privilege Escalation **T1086** Powershell Execution **T1106** Execution through API Execution **T1055** Process Injection Defense Evasion, Privilege Escalation **T1089** Disabling Security Tools Defense Evasion **T1076** Remote Desktop Protocol Lateral Movement **T1022** Data Encrypted Exfiltration ## IOCs **_IOC_** **_Description_** **baaa65730d47c21a56bfcdfaced6b888b9590a96e1fd19df9c18115c0b8d1747** _Spear-_ _phishing_ _document_ **003fd2404d515bf67c01f632014179414c8f28cfefd18fb5453c05e058825b0e** _Ave_Maria_ _executable_ **2fb2005c600243c020a5282cb20f5e5d58cd97fb1a87efb72c7e0641613be292** _Lokibot_ _executable_ **fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c** _Privesc Dll_ _dismcore.dll_ **0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9** _upnp.exe_ _(RDP)_ _executable_ **47745440509f8a374c7ce8c0c8b85213b1a40e2b86dc2cd77cb254426e1e2c7c** _hta file_ _(Formbook)_ ----- **c4e474e869076cbf955d57568015fe56732e0b3af1592f03e023063ac2875030** _Formbook_ _executable_ **secured.icbegypt.com** _drop url_ **89.46.223.202** _drop ip_ **maxibrainz.warzonedns.com:2580** _AVE_MARIA_ _C2 domain_ **91.192.100.61:2580** _AVE_MARIA_ _C2 ip_ **89.46.222.77/MaX/fre.php** _Lokibot C2_ **5.206.225.104** _AVE_MARIA_ _components_ _drop ip_ -----