Several public reports[1][2] of a malware family often referred to as AVE_MARIA were made in January 2019. Yoroi, an Internet research company, says the malware sample analyzed for their report[2] contains “AVE_MARIA”, and uses that string as a “hello message” for the malware controller. Also, in a Twitter thread[3] about similar malware, a researcher asked that it be called AVE_MARIA.
Here, we review the sample reported by Yoroi and the sample reported by the Twitter account @dvk01uk. We see similarities within the two samples and have found more samples within the AVE_MARIA family. We also discuss AVE_MARIA’s origins and ties to WARZONE RAT.
We include many indicator of compromise (IOC) data for several versions of WARZONE RAT.
Key Findings
AVE_MARIA is a Remote Administration Tool (RAT) offering marketed as WARZONE RAT on hacker forums and on the Web
WARZONE RAT is only available as a one- or three-month subscription
The same persona selling WARZONE RAT also promotes a free dynamic DNS service, warzonedns[.]com
Analysis
Yoroi Sample
Yoroi shows the SHA256 hash[4] (81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1) of one file they called the “AveMaria payload”, and one domain, anglekeys.warzonedns[.]com, for a command and control (C2) server. Our malware sandboxing confirms this behavior. Yoroi’s analysis and our own show the malware failing to establish a connection to the C2.
We see several possible IOCs from our sandbox runs and show them below in Table 1:
IOC Type | IOC Value |
Folder Created | C:\Program Files\Microsoft DN1 |
DNSRR | anglekeys.warzonedns[.]com |
AV Signature | Win32/Agent.TJS |
Imphash[5] | c50d3ead02fdb1258e5784f492356fac |
Table 1: Ave_Maria IOCs (from Yoroi seed sample) | |
@dvk01uk Sample
Twitter user @dvk01uk[6] reports a malware sample that exhibits similar behavior to the one Yoroi later blogged about. @JR0driguezB replied[7], linking to the Virustotal output[8] of that payload and suggests this malware family be called AVE_MARIA[9]. @James_inthe_box replies[10] with output showing the AVE_MARIA string, as shown in Figure 1.
Figure 1 (arrow added): Original: https://twitter.com/James_inthe_box/status/1069971854591291393
We see several possible IOCs from our sandbox runs and show them below in Table 2:
IOC Type | IOC Value |
Folder Created | C:\Program Files\Microsoft DN1 |
AV Signature | Win32/Agent.TJS |
Imphash[11] | 015cbad4c651a0c58f740df6ad080f91 |
Table 2: Ave_Maria IOCs from b6c028df0b4efe3e07bb1c8ed300163d16d2554b1b800f234a14a836f99849c4 | |
There are many overlaps (folder, AV signature, and presence of the string AVE_MARIA) between the Yoroi sample and the @dvk01uk sample. We assess with high confidence that these malware samples are from the same family.
warzonedns[.]com
When looking through our malware holdings for AVE_MARIA samples, we see many using the domain, warzonedns[.]com[12].
We see over 4,500 malware samples making DNS queries for hostnames within warzonedns[.]com[13]. Of these malware samples, over 75% contained a key IOC[14] for AVE_MARIA.
Warzone DDNS
Web searches for warzonedns[.]com show a post on the popular hacker forum HackForums. The post (shown in Figure 2), says warzonedns[.]com is a free Dynamic DNS (DDNS) service allowing new users to register with only a username and password. This post also says they “will not ban any users/subdomains”.
Figure 2: HackForums Post Announcing WarzoneDNS[.]com DDNS Service
‘Solmyr’ posted this with a description of ‘WARZONE RAT’. The banner at the bottom of this post advertises a “Remote Administration Tool” (RAT) which leads to another forum post on HackForums – a sales thread for WARZONE RAT.
Warzone RAT
‘Solmyr’ also posted the initial HackForums post advertising WARZONE RAT[15] (shown in Figure 3).
Figure 3: Sales thread for WARZONE RAT on HackForums
Later within the same thread, responding to questions about AntiVirus (AV) detection, Solmyr shared this post (shown in Figure 4), containing a link to a service that performs AV scans.
Figure 4: Author post for WARZONE RAT on HackForums
Figure 5: Results from scanmybin[.]net for WARZONE RAT
We do not have the sample from the “scanmybin[.]net” results shown in Figure 5. We do see over 200 samples matching the imphash. Some of the samples related by imphash also show IOCs mentioned above.
As of 2019-07-24, HackForums shows 192 completed sales of Warzone RAT via their service. Note that the seller also sells via their Web site, and may sell via other forums as well. Appendix A contains supporting data for the HackForums sales.
AVE_MARIA is WARZONE RAT
While the file with the MD5 checksum from Figure 5 was not found, a search found over 200 files with that same Imphash (d3ff663beb2af406701e3b4be6a9207a). Many of these have the same compilation timestamp[16]: 2018-09-30 03:49:17.
These samples contain the an interesting PE resource, shown in Figure 6:
Figure 6: PE resource within samples sharing same Imphash as the WARZONE RAT.
This is also present in the “AveMaria payload” from Yoroi blog post[17], and appears in their “Indicator of Compromise” table. Multiple AV vendors confirm that this executable (stored as a PE resource in AVE_MARIA samples) is a UAC bypass[18].
Another Clue
Taking a look at a WARZONE RAT version 1.51 sample shows the usual AVE_MARIA strings and some interesting additions (Figure 7):
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
%u.%u.%u.%u
AVE_MARIA
…
Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server
MaxConnectionsPerServer
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/softokn3.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/msvcp140.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/mozglue.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/vcruntime140.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/freebl3.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/nss3.dll
…
Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
…
Hey I’m AdminFigure 7: Selected Strings Seen in WARZONE RAT Version 1.51 Sample
Unfortunately, the ‘solmyr1’ github account is no longer active.
@P3pperP0tts tweeted19 these same findings (Figure 8):
Figure 8: Screenshot of Twitter Post Tying ‘solmyr1’ and AVE_MARIA
The WARZONE RAT version 1.60 sample shows the AVE_MARIA string but adds ‘warzone160’ and updates the library URLs (Figure 9):
warzone160
…
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
%u.%u.%u.%u
AVE_MARIA
…
\Google\Chrome\User Data\Default\Login Data
Software\Microsoft\Windows\CurrentVersion\App Paths\
hXXp://warzonedns[.]com/dll/softokn3.dll
hXXp://warzonedns[.]com/dll/msvcp140.dll
hXXp://warzonedns[.]com/dll/mozglue.dll
hXXp://warzonedns[.]com/dll/vcruntime140.dll
hXXp://warzonedns[.]com/dll/freebl3.dll
hXXp://warzonedns[.]com/dll/nss3.dll
…
Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
…
Hey I’m Admin
Figure 9: Selected Strings Seen in WARZONE RAT Version 1.60 Sample
Versions up to 1.88 still contain the same ‘warzone160’ string.
The DLL URLs observed are still available via warzonedns[.]com (as of 23 July 2019). What we grabbed were legitimate (clean) files; four from Mozilla (all related to Thunderbird) and two from Microsoft.
Distinct Versions
‘Solmyr’ occasionally announces updates to WARZONE RAT on HackForums. Here are the dates and releases as posted in the sales thread on HackForums (Table 3):
Date | Version | Page #[20] |
2018-10-30 | 1.2 | 3 |
2018-11-21 | 1.30 | 8 |
2018-11-24 | 1.31 | 9 |
2018-12-02 | 1.40 | 14 |
2019-01-04 | 1.50 | 23 |
2019-01-11 | 1.51 | 29 |
2019-02-15 | 1.71 | 40 |
2019-02-21 | 1.80 | 43 |
2019-02-25 | 1.82 | 45 |
2019-03-14 | 1.84 | 49 |
2019-03-27 | 1.86 | 50 |
2019-03-27 | 1.87 | 51 |
2019-04-08 | 1.88 | 56 |
2019-05-05 | 1.90 | 63 |
2019-06-25 | 2.00 | 1[21] |
2019-06-30 | 2.01 | 72 |
Table 3: WARZONE RAT Version Announcements on HackForums | | |
We believe some versions of WARZONE RAT exist that were not announced on HackForums. Table 4 shows IOCs of WARZONE RAT and their possible corresponding version.
Ver | Imphash | Compile Time |
? | d3ff663beb2af406701e3b4be6a9207a | 2018-09-30 03:49:17 |
1.2 | 97894ad73734f29b380f736aa922a592 | 2018-10-30 02:27:25 |
? | 015cbad4c651a0c58f740df6ad080f91 | 2018-11-01 02:42:03 |
1.30? | 015cbad4c651a0c58f740df6ad080f91 | 2018-11-21 01:16:14 |
1.31? | 015cbad4c651a0c58f740df6ad080f91 | 2018-11-23 23:51:52 |
1.40 | c50d3ead02fdb1258e5784f492356fac | 2018-12-02 04:09:28 |
1.50? | 9498392a50093cfce05cc96184882304 | 2019-01-02 12:34:58 |
1.51 | 8d75bab5909750c32ca321ba486edee2 | 2019-01-11 14:56:29 |
1.60 | 7e06210784164fa4f1df227ba4c37228 | 2019-02-14 22:08:32 |
1.61 | b0431412af88ba4390506a2af2010d1e | 2019-02-17 02:51:27 |
1.80 | c2ac33820b594dbbf354d8aa48a30ce1 | 2019-02-21 00:19:31 |
1.82 | b76aafdc988ade2ab3db3b02fa4c6d00 | 2019-02-25 03:59:58 |
1.84? | b76aafdc988ade2ab3db3b02fa4c6d00 | 2019-03-13 00:37:27 |
1.86? | 100e939005818c50742e10f759ff18a1 | 2019-03-24 22:36:15 |
1.87? | 100e939005818c50742e10f759ff18a1 | 2019-03-27 19:41:00 |
1.88 | 4747c70adc127d28c18f0f7237b1add9 | 2019-04-08 09:57:03 |
1.89? | 4747c70adc127d28c18f0f7237b1add9 | 2019-04-13 00:01:53 |
1.90 | b1c0ebdc2ad8802c6b2c2a7f1b316754 | 2019-05-04 23:48:24 |
2.0? | 50211447dd17c777c9d52f2415fe6fac | 2019-05-23 01:47:23 |
Table 4: AVE_MARIA Versions and IOCs | | |
Question-marked entries we grade as medium confidence of being a distinct version and low confidence of the exact version number. For all others, we assess the data points with medium-to-high confidence.
Solmyr
The HackForums user “Solmyr” claims to be the author of WARZONE RAT and provides support via:
HackForums (private message / forum thread)
Warzone[.]io Web site (warzone[.]io)
Discord (solmyr#4699)
Jabber (solmyr@xmpp.jp)
Skype (live:solmyr_12)
Email (solmyr[at]warzone[.]io)
Solmyr has a YouTube channel called WARZONE RAT[21].
Solmyr also posts on the nulled[.]io forums, offering WARZONE RAT: hXXps://www.nulled[.]to/topic/574717-x-warzone-rat-150-x-native-c-remote-administration-tool-get-ready-for-2019/
Indicators of Compromise
This IOC resources for this story are too numerous to include here. Please see our github repo to access the indicators of compromise.
References
https://cofense.com/exploiting-unpatched-vulnerability-ave_maria-malware-not-full-grace/
https://blog.yoroi.company/research/the-ave_maria-malware/
https://twitter.com/dvk01uk/status/1069963251021201409
SHA256 hash of “AveMaria payload” from Yoroi blog post: 81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1
Explanation of what Imphash is: https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
https://twitter.com/dvk01uk/status/1069963251021201409
https://twitter.com/JR0driguezB/status/1069968365723234305
https://www.virustotal.com/en/file/b6c028df0b4efe3e07bb1c8ed300163d16d2554b1b800f234a14a836f99849c4/analysis/1543934943/
https://twitter.com/JR0driguezB/status/1069971250448089090
https://twitter.com/James_inthe_box/status/1069971854591291393
Explanation of what “Imphash” is: https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
We defanged possible malicious domain names and URLs within this report to minimize accidental exposure of report viewers.
The full list is available on our github repo.
The folder C:\Program Files\Microsoft DN1 gets created during the sandbox operation.
https://hackforums[.]net/showthread.php?tid=5897941
https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format#file-headers – under the sub-heading “COFF File Header (Object and Image)”
https://www.virustotal.com/#/file/81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1/details
https://www.virustotal.com/#/file/021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546/detection
https://twitter.com/P3pperP0tts/status/1095477422877753344
The page number within the sales thread in HackForums. For example, page 3 is accessible at hXXps://hackforums[.]net/showthread.php?tid=5897941&page=3
https://www.youtube.com/channel/UCnJvHfkjlwL4YERWkuuykSw