Unmasking AVE_MARIA

Several public reports[1][2] of a malware family often referred to as AVE_MARIA were made in January 2019. Yoroi, an Internet research company, says the malware sample analyzed for their report[2] contains “AVE_MARIA”, and uses that string as a “hello message” for the malware controller. Also, in a Twitter thread[3] about similar malware, a researcher asked that it be called AVE_MARIA.

Here, we review the sample reported by Yoroi and the sample reported by the Twitter account @dvk01uk. We see similarities within the two samples and have found more samples within the AVE_MARIA family. We also discuss AVE_MARIA’s origins and ties to WARZONE RAT.

We include many indicator of compromise (IOC) data for several versions of WARZONE RAT.

Key Findings

  • AVE_MARIA is a Remote Administration Tool (RAT) offering marketed as WARZONE RAT on hacker forums and on the Web
  • WARZONE RAT is only available as a one- or three-month subscription
  • The same persona selling WARZONE RAT also promotes a free dynamic DNS service, warzonedns[.]com

Analysis

Yoroi Sample

Yoroi shows the SHA256 hash[4] (81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1) of one file they called the “AveMaria payload”, and one domain, anglekeys.warzonedns[.]com, for a command and control (C2) server. Our malware sandboxing confirms this behavior. Yoroi’s analysis and our own show the malware failing to establish a connection to the C2.

We see several possible IOCs from our sandbox runs and show them below in Table 1:

IOC TypeIOC Value
Folder CreatedC:\Program Files\Microsoft DN1
DNSRRanglekeys.warzonedns[.]com
AV SignatureWin32/Agent.TJS
Imphash[5]c50d3ead02fdb1258e5784f492356fac
Table 1: Ave_Maria IOCs (from Yoroi seed sample)

@dvk01uk Sample

Twitter user @dvk01uk[6] reports a malware sample that exhibits similar behavior to the one Yoroi later blogged about. @JR0driguezB replied[7], linking to the Virustotal output[8] of that payload and suggests this malware family be called AVE_MARIA[9]. @James_inthe_box replies[10] with output showing the AVE_MARIA string, as shown in Figure 1.

We see several possible IOCs from our sandbox runs and show them below in Table 2:

IOC TypeIOC Value
Folder CreatedC:\Program Files\Microsoft DN1
AV SignatureWin32/Agent.TJS
Imphash[11]015cbad4c651a0c58f740df6ad080f91
Table 2: Ave_Maria IOCs from b6c028df0b4efe3e07bb1c8ed300163d16d2554b1b800f234a14a836f99849c4

There are many overlaps (folder, AV signature, and presence of the string AVE_MARIA) between the Yoroi sample and the @dvk01uk sample.  We assess with high confidence that these malware samples are from the same family.

warzonedns[.]com

When looking through our malware holdings for AVE_MARIA samples, we see many using the domain, warzonedns[.]com[12].

We see over 4,500 malware samples making DNS queries for hostnames within warzonedns[.]com[13]. Of these malware samples, over 75% contained a key IOC[14] for AVE_MARIA.

Warzone DDNS

Web searches for warzonedns[.]com show a post on the popular hacker forum HackForums. The post (shown in Figure 2), says warzonedns[.]com is a free Dynamic DNS (DDNS) service allowing new users to register with only a username and password. This post also says they “will not ban any users/subdomains”.

Figure 2: HackForums Post Announcing WarzoneDNS[.]com DDNS Service

‘Solmyr’ posted this with a description of ‘WARZONE RAT’. The banner at the bottom of this post advertises a “Remote Administration Tool” (RAT) which leads to another forum post on HackForums – a sales thread for WARZONE RAT.

Warzone RAT

‘Solmyr’ also posted the initial HackForums post advertising WARZONE RAT[15] (shown in Figure 3).

Figure 3: Sales thread for WARZONE RAT on HackForums

Later within the same thread, responding to questions about AntiVirus (AV) detection, Solmyr shared this post (shown in Figure 4), containing a link to a service that performs AV scans.

Figure 4: Author post for WARZONE RAT on HackForums

The link to the scanmybin[.]net results from Figure 4 returned data shown in Figure 5:

Figure 5: Results from scanmybin[.]net for WARZONE RAT

We do not have the sample from the “scanmybin[.]net” results shown in Figure 5. We do see over 200 samples matching the imphash. Some of the samples related by imphash also show IOCs mentioned above.

As of 2019-07-24, HackForums shows 192 completed sales of Warzone RAT via their service. Note that the seller also sells via their Web site, and may sell via other forums as well. Appendix A contains supporting data for the HackForums sales.

AVE_MARIA is WARZONE RAT

While the file with the MD5 checksum from Figure 5 was not found, a search found over 200 files with that same Imphash (d3ff663beb2af406701e3b4be6a9207a). Many of these have the same compilation timestamp[16]: 2018-09-30 03:49:17.

These samples contain the an interesting PE resource, shown in Figure 6:

Figure 6: PE resource within samples sharing same Imphash as the WARZONE RAT.

This is also present in the “AveMaria payload” from Yoroi blog post[17], and appears in their “Indicator of Compromise” table. Multiple AV vendors confirm that this executable (stored as a PE resource in AVE_MARIA samples) is a UAC bypass[18].

Another Clue

Taking a look at a WARZONE RAT version 1.51 sample shows the usual AVE_MARIA strings and some interesting additions (Figure 7):

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
%u.%u.%u.%u
AVE_MARIA

Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server
MaxConnectionsPerServer
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/softokn3.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/msvcp140.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/mozglue.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/vcruntime140.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/freebl3.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/nss3.dll

Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}

Hey I’m Admin
Figure 7: Selected Strings Seen in WARZONE RAT Version 1.51 Sample

Unfortunately, the ‘solmyr1’ github account is no longer active.

@P3pperP0tts tweeted19 these same findings (Figure 8):

Figure 8: Screenshot of Twitter Post Tying ‘solmyr1’ and AVE_MARIA

The WARZONE RAT version 1.60 sample shows the AVE_MARIA string but adds ‘warzone160’ and updates the library URLs (Figure 9):

warzone160

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
%u.%u.%u.%u
AVE_MARIA

\Google\Chrome\User Data\Default\Login Data
Software\Microsoft\Windows\CurrentVersion\App Paths\
hXXp://warzonedns[.]com/dll/softokn3.dll
hXXp://warzonedns[.]com/dll/msvcp140.dll
hXXp://warzonedns[.]com/dll/mozglue.dll
hXXp://warzonedns[.]com/dll/vcruntime140.dll
hXXp://warzonedns[.]com/dll/freebl3.dll
hXXp://warzonedns[.]com/dll/nss3.dll

Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}

Hey I’m Admin
Figure 9: Selected Strings Seen in WARZONE RAT Version 1.60 Sample

Versions up to 1.88 still contain the same ‘warzone160’ string.

The DLL URLs observed are still available via warzonedns[.]com (as of 23 July 2019). What we grabbed were legitimate (clean) files; four from Mozilla (all related to Thunderbird) and two from Microsoft.

Distinct Versions

‘Solmyr’ occasionally announces updates to WARZONE RAT on HackForums. Here are the dates and releases as posted in the sales thread on HackForums (Table 3):

DateVersionPage #[20]
2018-10-301.23
2018-11-211.308
2018-11-241.319
2018-12-021.4014
2019-01-041.5023
2019-01-111.5129
2019-02-151.7140
2019-02-211.8043
2019-02-251.8245
2019-03-141.8449
2019-03-271.8650
2019-03-271.8751
2019-04-081.8856
2019-05-051.9063
2019-06-252.001[21]
2019-06-302.0172
Table 3: WARZONE RAT Version Announcements on HackForums

We believe some versions of WARZONE RAT exist that were not announced on HackForums.  Table 4 shows IOCs of WARZONE RAT and their possible corresponding version.

VerImphashCompile Time
?d3ff663beb2af406701e3b4be6a9207a2018-09-30 03:49:17
1.297894ad73734f29b380f736aa922a5922018-10-30 02:27:25
?015cbad4c651a0c58f740df6ad080f912018-11-01 02:42:03
1.30?015cbad4c651a0c58f740df6ad080f912018-11-21 01:16:14
1.31?015cbad4c651a0c58f740df6ad080f912018-11-23 23:51:52
1.40c50d3ead02fdb1258e5784f492356fac2018-12-02 04:09:28
1.50?9498392a50093cfce05cc961848823042019-01-02 12:34:58
1.518d75bab5909750c32ca321ba486edee22019-01-11 14:56:29
1.607e06210784164fa4f1df227ba4c372282019-02-14 22:08:32
1.61b0431412af88ba4390506a2af2010d1e2019-02-17 02:51:27
1.80c2ac33820b594dbbf354d8aa48a30ce12019-02-21 00:19:31
1.82b76aafdc988ade2ab3db3b02fa4c6d002019-02-25 03:59:58
1.84?b76aafdc988ade2ab3db3b02fa4c6d002019-03-13 00:37:27
1.86?100e939005818c50742e10f759ff18a12019-03-24 22:36:15
1.87?100e939005818c50742e10f759ff18a12019-03-27 19:41:00
1.884747c70adc127d28c18f0f7237b1add92019-04-08 09:57:03
1.89?4747c70adc127d28c18f0f7237b1add92019-04-13 00:01:53
1.90b1c0ebdc2ad8802c6b2c2a7f1b3167542019-05-04 23:48:24
2.0?50211447dd17c777c9d52f2415fe6fac2019-05-23 01:47:23
Table 4: AVE_MARIA Versions and IOCs

Question-marked entries we grade as medium confidence of being a distinct version and low confidence of the exact version number. For all others, we assess the data points with medium-to-high confidence.

Solmyr

The HackForums user “Solmyr” claims to be the author of WARZONE RAT and provides support via:

  • HackForums (private message / forum thread)
  • Warzone[.]io Web site (warzone[.]io)
  • Discord (solmyr#4699)
  • Jabber (solmyr@xmpp.jp)
  • Skype (live:solmyr_12)
  • Email (solmyr[at]warzone[.]io)

Solmyr has a YouTube channel called WARZONE RAT[21].

Solmyr also posts on the nulled[.]io forums, offering WARZONE RAT: hXXps://www.nulled[.]to/topic/574717-x-warzone-rat-150-x-native-c-remote-administration-tool-get-ready-for-2019/

Indicators of Compromise

This IOC resources for this story are too numerous to include here. Please see our github repo to access the indicators of compromise.

References

  1. https://cofense.com/exploiting-unpatched-vulnerability-ave_maria-malware-not-full-grace/
  2. https://blog.yoroi.company/research/the-ave_maria-malware/
  3. https://twitter.com/dvk01uk/status/1069963251021201409
  4. SHA256 hash of “AveMaria payload” from Yoroi blog post: 81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1
  5. Explanation of what Imphash is: https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
  6. https://twitter.com/dvk01uk/status/1069963251021201409
  7. https://twitter.com/JR0driguezB/status/1069968365723234305
  8. https://www.virustotal.com/en/file/b6c028df0b4efe3e07bb1c8ed300163d16d2554b1b800f234a14a836f99849c4/analysis/1543934943/
  9. https://twitter.com/JR0driguezB/status/1069971250448089090
  10. https://twitter.com/James_inthe_box/status/1069971854591291393
  11. Explanation of what “Imphash” is: https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
  12. We defanged possible malicious domain names and URLs within this report to minimize accidental exposure of report viewers.
  13. The full list is available on our github repo.
  14. The folder C:\Program Files\Microsoft DN1 gets created during the sandbox operation.
  15. https://hackforums%5B.%5Dnet/showthread.php?tid=5897941
  16. https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format#file-headers – under the sub-heading “COFF File Header (Object and Image)”
  17. https://www.virustotal.com/#/file/81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1/details
  18. https://www.virustotal.com/#/file/021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546/detection
  19. https://twitter.com/P3pperP0tts/status/1095477422877753344
  20. The page number within the sales thread in HackForums. For example, page 3 is accessible at hXXps://hackforums[.]net/showthread.php?tid=5897941&page=3
  21. https://www.youtube.com/channel/UCnJvHfkjlwL4YERWkuuykSw

Comments are closed.

Up ↑

%d bloggers like this: