All Blog
Internet Weather
Threat Research
Threat Intelligence 101
tcblogposts
July 25, 2019
4
min read

Unmasking AVE_MARIA

Several public reports[1][2] of a malware family often referred to as AVE_MARIA were made in January 2019. Yoroi, an Internet research company, says the malware sample analyzed for their report[2] contains “AVE_MARIA”, and uses that string as a “hello message” for the malware controller. Also, in a Twitter thread[3] about similar malware, a researcher asked that it be called AVE_MARIA.

Here, we review the sample reported by Yoroi and the sample reported by the Twitter account @dvk01uk. We see similarities within the two samples and have found more samples within the AVE_MARIA family. We also discuss AVE_MARIA’s origins and ties to WARZONE RAT.

We include many indicator of compromise (IOC) data for several versions of WARZONE RAT.

Key Findings
  • AVE_MARIA is a Remote Administration Tool (RAT) offering marketed as WARZONE RAT on hacker forums and on the Web
  • WARZONE RAT is only available as a one- or three-month subscription
  • The same persona selling WARZONE RAT also promotes a free dynamic DNS service, warzonedns[.]com

Analysis

Yoroi Sample

Yoroi shows the SHA256 hash[4] (81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1) of one file they called the “AveMaria payload”, and one domain, anglekeys.warzonedns[.]com, for a command and control (C2) server. Our malware sandboxing confirms this behavior. Yoroi’s analysis and our own show the malware failing to establish a connection to the C2.

We see several possible IOCs from our sandbox runs and show them below in Table 1:

IOC Type IOC Value
Folder Created C:\Program Files\Microsoft DN1
DNSRR anglekeys.warzonedns[.]com
AV Signature Win32/Agent.TJS
Imphash[5] c50d3ead02fdb1258e5784f492356fac
Table 1: Ave_Maria IOCs (from Yoroi seed sample)

@dvk01uk Sample

Twitter user @dvk01uk[6] reports a malware sample that exhibits similar behavior to the one Yoroi later blogged about. @JR0driguezB replied[7], linking to the Virustotal output[8] of that payload and suggests this malware family be called AVE_MARIA[9]. @James_inthe_box replies[10] with output showing the AVE_MARIA string, as shown in Figure 1.

Figure 1 (arrow added): Original: https://twitter.com/James_inthe_box/status/1069971854591291393

We see several possible IOCs from our sandbox runs and show them below in Table 2:

IOC Type IOC Value
Folder Created C:\Program Files\Microsoft DN1
AV Signature Win32/Agent.TJS
Imphash[11] 015cbad4c651a0c58f740df6ad080f91
Table 2: Ave_Maria IOCs from b6c028df0b4efe3e07bb1c8ed300163d16d2554b1b800f234a14a836f99849c4

There are many overlaps (folder, AV signature, and presence of the string AVE_MARIA) between the Yoroi sample and the @dvk01uk sample.  We assess with high confidence that these malware samples are from the same family.

warzonedns[.]com

When looking through our malware holdings for AVE_MARIA samples, we see many using the domain, warzonedns[.]com[12].

We see over 4,500 malware samples making DNS queries for hostnames within warzonedns[.]com[13]. Of these malware samples, over 75% contained a key IOC[14] for AVE_MARIA.

Warzone DDNS

Web searches for warzonedns[.]com show a post on the popular hacker forum HackForums. The post (shown in Figure 2), says warzonedns[.]com is a free Dynamic DNS (DDNS) service allowing new users to register with only a username and password. This post also says they “will not ban any users/subdomains”.

Figure 2: HackForums Post Announcing WarzoneDNS[.]com DDNS Service

‘Solmyr’ posted this with a description of ‘WARZONE RAT’. The banner at the bottom of this post advertises a “Remote Administration Tool” (RAT) which leads to another forum post on HackForums – a sales thread for WARZONE RAT.

Warzone RAT

‘Solmyr’ also posted the initial HackForums post advertising WARZONE RAT[15] (shown in Figure 3).

Figure 3: Sales thread for WARZONE RAT on HackForums

Later within the same thread, responding to questions about AntiVirus (AV) detection, Solmyr shared this post (shown in Figure 4), containing a link to a service that performs AV scans.

Figure 4: Author post for WARZONE RAT on HackForums
Figure 5: Results from scanmybin[.]net for WARZONE RAT

We do not have the sample from the “scanmybin[.]net” results shown in Figure 5. We do see over 200 samples matching the imphash. Some of the samples related by imphash also show IOCs mentioned above.

As of 2019-07-24, HackForums shows 192 completed sales of Warzone RAT via their service. Note that the seller also sells via their Web site, and may sell via other forums as well. Appendix A contains supporting data for the HackForums sales.

AVE_MARIA is WARZONE RAT

While the file with the MD5 checksum from Figure 5 was not found, a search found over 200 files with that same Imphash (d3ff663beb2af406701e3b4be6a9207a). Many of these have the same compilation timestamp[16]: 2018-09-30 03:49:17.

These samples contain the an interesting PE resource, shown in Figure 6:

Figure 6: PE resource within samples sharing same Imphash as the WARZONE RAT.

This is also present in the “AveMaria payload” from Yoroi blog post[17], and appears in their “Indicator of Compromise” table. Multiple AV vendors confirm that this executable (stored as a PE resource in AVE_MARIA samples) is a UAC bypass[18].

Another Clue

Taking a look at a WARZONE RAT version 1.51 sample shows the usual AVE_MARIA strings and some interesting additions (Figure 7):


SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
%u.%u.%u.%u
AVE_MARIA

Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server
MaxConnectionsPerServer
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/softokn3.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/msvcp140.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/mozglue.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/vcruntime140.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/freebl3.dll
hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/nss3.dll

Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}

Hey I’m AdminFigure 7: Selected Strings Seen in WARZONE RAT Version 1.51 Sample

Unfortunately, the ‘solmyr1’ github account is no longer active.

@P3pperP0tts tweeted19 these same findings (Figure 8):

Figure 8: Screenshot of Twitter Post Tying ‘solmyr1’ and AVE_MARIA

The WARZONE RAT version 1.60 sample shows the AVE_MARIA string but adds ‘warzone160’ and updates the library URLs (Figure 9):

warzone160

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
%u.%u.%u.%u
AVE_MARIA

\Google\Chrome\User Data\Default\Login Data
Software\Microsoft\Windows\CurrentVersion\App Paths\
hXXp://warzonedns[.]com/dll/softokn3.dll
hXXp://warzonedns[.]com/dll/msvcp140.dll
hXXp://warzonedns[.]com/dll/mozglue.dll
hXXp://warzonedns[.]com/dll/vcruntime140.dll
hXXp://warzonedns[.]com/dll/freebl3.dll
hXXp://warzonedns[.]com/dll/nss3.dll

Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}

Hey I’m Admin

Figure 9: Selected Strings Seen in WARZONE RAT Version 1.60 Sample

Versions up to 1.88 still contain the same ‘warzone160’ string.

The DLL URLs observed are still available via warzonedns[.]com (as of 23 July 2019). What we grabbed were legitimate (clean) files; four from Mozilla (all related to Thunderbird) and two from Microsoft.

Distinct Versions

‘Solmyr’ occasionally announces updates to WARZONE RAT on HackForums. Here are the dates and releases as posted in the sales thread on HackForums (Table 3):

Date Version Page #
2018-10-30 1.2 3
2018-11-21 1.30 8
2018-11-24 1.31 9
2018-12-02 1.40 14
2019-01-04 1.50 23
2019-01-11 1.51 29
2019-02-15 1.71 40
2019-02-21 1.80 43
2019-02-25 1.82 45
2019-03-14 1.84 49
2019-03-27 1.86 50
2019-03-27 1.87 51
2019-04-08 1.88 56
2019-05-05 1.90 63
2019-06-25 2.00 1
2019-06-30 2.01 72
Table 3: WARZONE RAT Version Announcements on HackForums

We believe some versions of WARZONE RAT exist that were not announced on HackForums.  Table 4 shows IOCs of WARZONE RAT and their possible corresponding version.

Ver Imphash Compile Time
1.2 d3ff663beb2af406701e3b4be6a9207a 2018-09-30 03:49:17
1.30 97894ad73734f29b380f736aa922a592 2018-10-30 02:27:25
1.30 015cbad4c651a0c58f740df6ad080f91 2018-11-01 02:42:03
1.31 015cbad4c651a0c58f740df6ad080f91 2018-11-21 01:16:14
1.40 015cbad4c651a0c58f740df6ad080f91 2018-11-23 23:51:52
1.50 c50d3ead02fdb1258e5784f492356fac 2018-12-02 04:09:28
1.51 9498392a50093cfce05cc96184882304 2019-01-02 12:34:58
1.51 8d75bab5909750c32ca321ba486edee2 2019-01-11 14:56:29
1.60 7e06210784164fa4f1df227ba4c37228 2019-02-14 22:08:32
1.61 b0431412af88ba4390506a2af2010d1e 2019-02-17 02:51:27
1.80 c2ac33820b594dbbf354d8aa48a30ce1 2019-02-21 00:19:31
1.82 b76aafdc988ade2ab3db3b02fa4c6d00 2019-02-25 03:59:58
1.84 b76aafdc988ade2ab3db3b02fa4c6d00 2019-03-13 00:37:27
1.86 100e939005818c50742e10f759ff18a1 2019-03-24 22:36:15
1.87 100e939005818c50742e10f759ff18a1 2019-03-27 19:41:00
1.88 4747c70adc127d28c18f0f7237b1add9 2019-04-08 09:57:03
1.89 4747c70adc127d28c18f0f7237b1add9 2019-04-13 00:01:53
1.90 b1c0ebdc2ad8802c6b2c2a7f1b316754 2019-05-04 23:48:24
2.0 50211447dd17c777c9d52f2415fe6fac 2019-05-23 01:47:23
Table 4: AVE_MARIA Versions and IOCs

Question-marked entries we grade as medium confidence of being a distinct version and low confidence of the exact version number. For all others, we assess the data points with medium-to-high confidence.

Solmyr

The HackForums user “Solmyr” claims to be the author of WARZONE RAT and provides support via:

  • HackForums (private message / forum thread)
  • Warzone[.]io Web site (warzone[.]io)
  • Discord (solmyr#4699)
  • Jabber (solmyr@xmpp.jp)
  • Skype (live:solmyr_12)
  • Email (solmyr[at]warzone[.]io)

Solmyr has a YouTube channel called WARZONE RAT[21].

Solmyr also posts on the nulled[.]io forums, offering WARZONE RAT: hXXps://www.nulled[.]to/topic/574717-x-warzone-rat-150-x-native-c-remote-administration-tool-get-ready-for-2019/

Indicators of Compromise

This IOC resources for this story are too numerous to include here. Please see our github repo to access the indicators of compromise.

References

  1. https://cofense.com/exploiting-unpatched-vulnerability-ave_maria-malware-not-full-grace/
  2. https://blog.yoroi.company/research/the-ave_maria-malware/
  3. https://twitter.com/dvk01uk/status/1069963251021201409
  4. SHA256 hash of “AveMaria payload” from Yoroi blog post: 81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1
  5. Explanation of what Imphash is: https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
  6. https://twitter.com/dvk01uk/status/1069963251021201409
  7. https://twitter.com/JR0driguezB/status/1069968365723234305
  8. https://www.virustotal.com/en/file/b6c028df0b4efe3e07bb1c8ed300163d16d2554b1b800f234a14a836f99849c4/analysis/1543934943/
  9. https://twitter.com/JR0driguezB/status/1069971250448089090
  10. https://twitter.com/James_inthe_box/status/1069971854591291393
  11. Explanation of what “Imphash” is: https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
  12. We defanged possible malicious domain names and URLs within this report to minimize accidental exposure of report viewers.
  13. The full list is available on our github repo.
  14. The folder C:\Program Files\Microsoft DN1 gets created during the sandbox operation.
  15. https://hackforums[.]net/showthread.php?tid=5897941
  16. https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format#file-headers – under the sub-heading “COFF File Header (Object and Image)”
  17. https://www.virustotal.com/#/file/81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1/details
  18. https://www.virustotal.com/#/file/021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546/detection
  19. https://twitter.com/P3pperP0tts/status/1095477422877753344
  20. The page number within the sales thread in HackForums. For example, page 3 is accessible at hXXps://hackforums[.]net/showthread.php?tid=5897941&page=3
  21. https://www.youtube.com/channel/UCnJvHfkjlwL4YERWkuuykSw
No items found.