top of page
tcblogposts

Unmasking AVE_MARIA


Several public reports[1][2] of a malware family often referred to as AVE_MARIA were made in January 2019. Yoroi, an Internet research company, says the malware sample analyzed for their report[2] contains “AVE_MARIA”, and uses that string as a “hello message” for the malware controller. Also, in a Twitter thread[3] about similar malware, a researcher asked that it be called AVE_MARIA.


Here, we review the sample reported by Yoroi and the sample reported by the Twitter account @dvk01uk. We see similarities within the two samples and have found more samples within the AVE_MARIA family. We also discuss AVE_MARIA’s origins and ties to WARZONE RAT.


We include many indicator of compromise (IOC) data for several versions of WARZONE RAT.


Key Findings

  • AVE_MARIA is a Remote Administration Tool (RAT) offering marketed as WARZONE RAT on hacker forums and on the Web

  • WARZONE RAT is only available as a one- or three-month subscription

  • The same persona selling WARZONE RAT also promotes a free dynamic DNS service, warzonedns[.]com

Analysis

Yoroi Sample


Yoroi shows the SHA256 hash[4] (81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1) of one file they called the “AveMaria payload”, and one domain, anglekeys.warzonedns[.]com, for a command and control (C2) server. Our malware sandboxing confirms this behavior. Yoroi’s analysis and our own show the malware failing to establish a connection to the C2.


We see several possible IOCs from our sandbox runs and show them below in Table 1:



IOC Type

IOC Value

Folder Created

C:\Program Files\Microsoft DN1

DNSRR

anglekeys.warzonedns[.]com

AV Signature

Win32/Agent.TJS

Imphash[5]

c50d3ead02fdb1258e5784f492356fac

​Table 1: Ave_Maria IOCs (from Yoroi seed sample)

@dvk01uk Sample


Twitter user @dvk01uk[6] reports a malware sample that exhibits similar behavior to the one Yoroi later blogged about. @JR0driguezB replied[7], linking to the Virustotal output[8] of that payload and suggests this malware family be called AVE_MARIA[9]. @James_inthe_box replies[10] with output showing the AVE_MARIA string, as shown in Figure 1.



We see several possible IOCs from our sandbox runs and show them below in Table 2:

IOC Type

IOC Value

Folder Created

C:\Program Files\Microsoft DN1

AV Signature

Win32/Agent.TJS

Imphash[11]

015cbad4c651a0c58f740df6ad080f91

Table 2: Ave_Maria IOCs from b6c028df0b4efe3e07bb1c8ed300163d16d2554b1b800f234a14a836f99849c4

There are many overlaps (folder, AV signature, and presence of the string AVE_MARIA) between the Yoroi sample and the @dvk01uk sample. We assess with high confidence that these malware samples are from the same family.

warzonedns[.]com

When looking through our malware holdings for AVE_MARIA samples, we see many using the domain, warzonedns[.]com[12].

We see over 4,500 malware samples making DNS queries for hostnames within warzonedns[.]com[13]. Of these malware samples, over 75% contained a key IOC[14] for AVE_MARIA.

Warzone DDNS

Web searches for warzonedns[.]com show a post on the popular hacker forum HackForums. The post (shown in Figure 2), says warzonedns[.]com is a free Dynamic DNS (DDNS) service allowing new users to register with only a username and password. This post also says they “will not ban any users/subdomains”.


Figure 2: HackForums Post Announcing WarzoneDNS[.]com DDNS Service


‘Solmyr’ posted this with a description of ‘WARZONE RAT’. The banner at the bottom of this post advertises a “Remote Administration Tool” (RAT) which leads to another forum post on HackForums – a sales thread for WARZONE RAT.


Warzone RAT

‘Solmyr’ also posted the initial HackForums post advertising WARZONE RAT[15] (shown in Figure 3).

Figure 3: Sales thread for WARZONE RAT on HackForums


Later within the same thread, responding to questions about AntiVirus (AV) detection, Solmyr shared this post (shown in Figure 4), containing a link to a service that performs AV scans.


Figure 4: Author post for WARZONE RAT on HackForums


Figure 5: Results from scanmybin[.]net for WARZONE RAT


We do not have the sample from the “scanmybin[.]net” results shown in Figure 5. We do see over 200 samples matching the imphash. Some of the samples related by imphash also show IOCs mentioned above.


As of 2019-07-24, HackForums shows 192 completed sales of Warzone RAT via their service. Note that the seller also sells via their Web site, and may sell via other forums as well. Appendix A contains supporting data for the HackForums sales.


AVE_MARIA is WARZONE RAT

While the file with the MD5 checksum from Figure 5 was not found, a search found over 200 files with that same Imphash (d3ff663beb2af406701e3b4be6a9207a). Many of these have the same compilation timestamp[16]: 2018-09-30 03:49:17.


These samples contain the an interesting PE resource, shown in Figure 6:



Figure 6: PE resource within samples sharing same Imphash as the WARZONE RAT.

This is also present in the “AveMaria payload” from Yoroi blog post[17], and appears in their “Indicator of Compromise” table. Multiple AV vendors confirm that this executable (stored as a PE resource in AVE_MARIA samples) is a UAC bypass[18].


Another Clue

Taking a look at a WARZONE RAT version 1.51 sample shows the usual AVE_MARIA strings and some interesting additions (Figure 7):




SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
%u.%u.%u.%u
AVE_MARIA
…
Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server
MaxConnectionsPerServer
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/softokn3.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/msvcp140.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/mozglue.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/vcruntime140.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/freebl3.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/nss3.dll
…
Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
…
Hey I’m AdminFigure 7: Selected Strings Seen in WARZONE RAT Version 1.51 Sample

Unfortunately, the ‘solmyr1’ github account is no longer active.


@P3pperP0tts tweeted19 these same findings (Figure 8):



Figure 8: Screenshot of Twitter Post Tying ‘solmyr1’ and AVE_MARIA


The WARZONE RAT version 1.60 sample shows the AVE_MARIA string but adds ‘warzone160’ and updates the library URLs (Figure 9):




warzone160
…
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
%u.%u.%u.%u
AVE_MARIA
…
\Google\Chrome\User Data\Default\Login Data
Software\Microsoft\Windows\CurrentVersion\App Paths\
hXXp://warzonedns[.]com/dll/softokn3.dll
hXXp://warzonedns[.]com/dll/msvcp140.dll
hXXp://warzonedns[.]com/dll/mozglue.dll
hXXp://warzonedns[.]com/dll/vcruntime140.dll
hXXp://warzonedns[.]com/dll/freebl3.dll
hXXp://warzonedns[.]com/dll/nss3.dll
…
Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
…
Hey I’m Admin

Figure 9: Selected Strings Seen in WARZONE RAT Version 1.60 Sample


Versions up to 1.88 still contain the same ‘warzone160’ string.


The DLL URLs observed are still available via warzonedns[.]com (as of 23 July 2019). What we grabbed were legitimate (clean) files; four from Mozilla (all related to Thunderbird) and two from Microsoft.

Distinct Versions

‘Solmyr’ occasionally announces updates to WARZONE RAT on HackForums. Here are the dates and releases as posted in the sales thread on HackForums (Table 3):

Date

Version

Page #[20]

2018-10-30

1.2

3

2018-11-21

1.30

8

2018-11-24

1.31

9

2018-12-02

1.40

14

2019-01-04

1.50

23

2019-01-11

1.51

29

2019-02-15

1.71

40

2019-02-21

1.80

43

2019-02-25

1.82

45

2019-03-14

1.84

49

2019-03-27

1.86

50

2019-03-27

1.87

51

2019-04-08

1.88

56

2019-05-05

1.90

63

2019-06-25

2.00

1[21]

2019-06-30

2.01

72

Table 3: WARZONE RAT Version Announcements on HackForums

We believe some versions of WARZONE RAT exist that were not announced on HackForums. Table 4 shows IOCs of WARZONE RAT and their possible corresponding version.

Ver

Imphash

Compile Time

?

d3ff663beb2af406701e3b4be6a9207a

2018-09-30 03:49:17

1.2

97894ad73734f29b380f736aa922a592

2018-10-30 02:27:25

?

015cbad4c651a0c58f740df6ad080f91

2018-11-01 02:42:03

1.30?

015cbad4c651a0c58f740df6ad080f91

2018-11-21 01:16:14

1.31?

015cbad4c651a0c58f740df6ad080f91

2018-11-23 23:51:52

1.40

c50d3ead02fdb1258e5784f492356fac

2018-12-02 04:09:28

1.50?

9498392a50093cfce05cc96184882304

​2019-01-02 12:34:58

1.51

8d75bab5909750c32ca321ba486edee2

2019-01-11 14:56:29

1.60

7e06210784164fa4f1df227ba4c37228

2019-02-14 22:08:32

1.61

b0431412af88ba4390506a2af2010d1e

2019-02-17 02:51:27

1.80

c2ac33820b594dbbf354d8aa48a30ce1

2019-02-21 00:19:31

1.82

b76aafdc988ade2ab3db3b02fa4c6d00

2019-02-25 03:59:58

1.84?

b76aafdc988ade2ab3db3b02fa4c6d00

2019-03-13 00:37:27

1.86?

100e939005818c50742e10f759ff18a1

2019-03-24 22:36:15

1.87?

100e939005818c50742e10f759ff18a1

2019-03-27 19:41:00

1.88

4747c70adc127d28c18f0f7237b1add9

2019-04-08 09:57:03

1.89?

4747c70adc127d28c18f0f7237b1add9

2019-04-13 00:01:53

1.90

b1c0ebdc2ad8802c6b2c2a7f1b316754

2019-05-04 23:48:24

2.0?

50211447dd17c777c9d52f2415fe6fac

2019-05-23 01:47:23

Table 4: AVE_MARIA Versions and IOCs

Question-marked entries we grade as medium confidence of being a distinct version and low confidence of the exact version number. For all others, we assess the data points with medium-to-high confidence.

Solmyr

The HackForums user “Solmyr” claims to be the author of WARZONE RAT and provides support via:

  • HackForums (private message / forum thread)

  • Warzone[.]io Web site (warzone[.]io)

  • Discord (solmyr#4699)

  • Jabber (solmyr@xmpp.jp)

  • Skype (live:solmyr_12)

  • Email (solmyr[at]warzone[.]io)

Solmyr has a YouTube channel called WARZONE RAT[21].

Solmyr also posts on the nulled[.]io forums, offering WARZONE RAT: hXXps://www.nulled[.]to/topic/574717-x-warzone-rat-150-x-native-c-remote-administration-tool-get-ready-for-2019/

Indicators of Compromise

This IOC resources for this story are too numerous to include here. Please see our github repo to access the indicators of compromise.

References

  1. https://cofense.com/exploiting-unpatched-vulnerability-ave_maria-malware-not-full-grace/

  2. https://blog.yoroi.company/research/the-ave_maria-malware/

  3. https://twitter.com/dvk01uk/status/1069963251021201409

  4. SHA256 hash of “AveMaria payload” from Yoroi blog post: 81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1

  5. Explanation of what Imphash is: https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html

  6. https://twitter.com/dvk01uk/status/1069963251021201409

  7. https://twitter.com/JR0driguezB/status/1069968365723234305

  8. https://www.virustotal.com/en/file/b6c028df0b4efe3e07bb1c8ed300163d16d2554b1b800f234a14a836f99849c4/analysis/1543934943/

  9. https://twitter.com/JR0driguezB/status/1069971250448089090

  10. https://twitter.com/James_inthe_box/status/1069971854591291393

  11. Explanation of what “Imphash” is: https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html

  12. We defanged possible malicious domain names and URLs within this report to minimize accidental exposure of report viewers.

  13. The full list is available on our github repo.

  14. The folder C:\Program Files\Microsoft DN1 gets created during the sandbox operation.

  15. https://hackforums[.]net/showthread.php?tid=5897941

  16. https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format#file-headers – under the sub-heading “COFF File Header (Object and Image)”

  17. https://www.virustotal.com/#/file/81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1/details

  18. https://www.virustotal.com/#/file/021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546/detection

  19. https://twitter.com/P3pperP0tts/status/1095477422877753344

  20. The page number within the sales thread in HackForums. For example, page 3 is accessible at hXXps://hackforums[.]net/showthread.php?tid=5897941&page=3

  21. https://www.youtube.com/channel/UCnJvHfkjlwL4YERWkuuykSw

bottom of page