Ave Maria RAT (remote access trojan), also known as “Warzone RAT,” is a malware that gains unauthorized access or remote control over a victim’s or targeted computer system. This RAT operates stealthily and grants attackers access to various functionalities within the compromised system. Its malicious activity includes data theft, privilege escalation, remote desktop control, email credential collections, browser credential parsing and more.
This malicious RAT was first observed being spread through a malicious phishing campaign in 2018 and is still active now. Aside from that, it is also a known tool of several APT groups to compromise or gain control of a targeted host. In February 2023, Zscaler shared a blog regarding the Ave Maria tactics and techniques — especially its distribution strategy.
This blog post provides a deep-dive analysis of this threat, including:
- Initial Access (CVE-2017-11882)
- Modify Registry
- UAC Bypass
- Impair Defense like Windows Defender
- Mark-Of-The-Web Bypass
- Command and Script Interpreter
- Process Injection
- System Information Discovery
- Other Backdoor Capabilities
The VT diagram presented below vividly illustrates a malicious phishing campaign orchestrated by the Ave Maria RAT malware. This campaign encompasses an exploited .rtf file, strategically designed to initiate the download of the authentic RAT onto the compromised host.
(For a larger resolution of this diagram visit this link)
The following section explores Ave Maria tactics, techniques and its capabilities to compromise a targeted host or system.
Ave Maria (Warzone) RAT is notorious for distributing spam email campaigns to disseminate its malware. These spam emails are cleverly crafted to include a malicious attachment, which takes advantage of CVE-2017-11882, a vulnerability in Microsoft Equation Editor, to infect unsuspecting victims' systems.
Figure 1. Ave Maria RAT spam email
With the utilization of this exploit, the crafted malicious MS document or RTF file executes a shellcode responsible for downloading the actual Ave Maria RAT onto the targeted or compromised host.
Figure 2 shows the screenshots of the shellcode that tries to download the Ave Maria RAT using UrlDownloadToFileW () API.
Figure 2. Exploit Shellcode
After successfully downloading the malicious RAT, it promptly initiates its execution, allowing it to carry out its intended malicious activities.
First it will install an EventObject that will serve as mutex to make sure only one instance of its malware code is running in the compromised host. By default, the number of simultaneous downloads from a web server is only 2. In this case, Ave Maria RAT tweaked the registry to increase the number of downloads to 10 or allow multiple connections to a single server.
Figure 3 shows the code snippet of the this malware that modifies the Internet Settings registry to gain concurrent connections allowed in a single server.
Figure 3. MaxConnectionPerServer registry modification
Bypass User Account Control
The malware leverages the RtlGetVersion() API to determine the operating system version of the compromised host. By inspecting the OS Major Version, specifically checking if it is 10, the malware can identify whether the host is running Windows 10 or Windows Server 2016.
If the OS version condition is satisfied, it will try to bypass the User Account Control feature of Windows Operating System by creating a registry entry to “HKCU\Software\Classes\Folder\shell\open\command\” with the file path of its malware executable then run sdclt.exe that will execute the malware entry in the registry.
Figure 4. UAC Bypassed via sdclt.exe
The malware includes a function designed to evade security tools like Windows Defender using PowerShell. It achieves this by adding its malware file path to the Windows Defender ExclusionPath. In Figure 5, a screenshot displays the function responsible for initializing and executing the PowerShell command, ensuring that the malware's path remains excluded from scanning by Windows Defender.
Figure 5. ExclusionPath command for its malware file path
Ave Maria RAT also subverted mark-of-the-web (MOTW) controls. In Windows Operating System, when files are downloaded from the internet, they are tagged with a “Zone.Identifier” Alternate Data Stream.
Files that are tagged with MOTW are protected and cannot perform certain actions. In this scenario, this malware tries to delete that alternate data stream to run its downloaded files without restrictions or protections.
Figure 6. Delete Zone.Identifier Alternate Data Stream
Command and Scripting Interpreter
Ave Maria RAT will drop a copy of itself in %appdata% then it will also drop a batch script named as “program.bat” that can create a process via WMI command-line (WMIC). Figure 7 shows the construction of the batch script relative to its copy of itself.
Figure 7. Batch Script Execution
One of the malware's techniques is code injection. If the current running process is on a 64-bit architecture, it initiates a cmd.exe process and injects its code. Otherwise, it searches for the explorer.exe process to inject its code and subsequently executes it using the CreateRemoteThread() API.
Figure 7.Process Injection
During its installation, the malware creates a registry run key that enables automatic execution of its code upon each machine reboot. This technique involves utilizing the well-known registry run key located at:
Within this malicious RAT lies a range of backdoor capabilities designed to execute additional payloads and exfiltrate information from the compromised host. The following sections delve into the noteworthy techniques that the Splunk Threat Research Team (STRT) analyzed that pertain to its backdoor functionalities.
System Information Discovery
One of its backdoor functionalities is to collect system information such as machine GUID, OS version, user name, computer name, token information, CPU architecture, memory information and more. This information will be encrypted and sent to its C2 server.
Figure 7. SysInfo Discovery
Credentials in Registry
The capabilities of Ave Maria RAT extend to searching the registry on compromised hosts or systems for insecurely stored credentials. Specifically, it targets the registry entries associated with the unique Microsoft Outlook profile to extract the following sensitive information:
- Account Name
- POP3 Server
- POP3 User
- SMTP Server
- POP3 password
- SMTP password
- HTTP password
- IMAP password
Figure 8. Outlook Profile Registry Query
Input capture or keylogging serves as another backdoor capability, enabling the malware to log user keystrokes and intercept credentials as the user types on the compromised host. To implement this technique, the malware hooks API callbacks responsible for processing keystrokes in the Windows OS.
The keystroke log by this malware is saved in “%appdata%\Microsoft Vision\ '' folder path with filename format based on the date and time that file was created.
File name format: dd-mm-yy_hh.mm.ss E.g: %appdata%\Microsoft Vision\11.11.23_11.11.11
Figure 9. Keylogging
Credentials from Web Browsers
Similar to other remote access trojans (RATs) and Trojan Stealers, this malware possesses the ability to acquire credentials stored in web browsers. It achieves this by reading files or databases specific to the targeted browser that contain encrypted credentials, which it then decrypts to extract the plaintext credentials.
Figure 10. Acquire Browser Credentials
Below is a list of targeted browsers from which it attempts to extract credentials:
- Epic Privacy Browser
- Microsoft Edge
Other backdoor capabilities found during our analysis are:
- Download and execute payload
- Get logical drive type
- Parse fox mail credentials
- Search for files
- List files
- Terminate a process
- Process list
- Shell execute command
- Ping sleep command
- Delete a file
- Create Special Account
- Reverse shell
- Reverse proxy
The Splunk Threat Research Team has curated relevant detections and tagged them to the Ave Maria(Warzone) RAT Analytic Story to help security analysts detect adversaries leveraging the malware.
This release used and considered the relevant data endpoint telemetry sources such as:
- Process Execution & Command Line Logging
- Windows Security SACL Event ID, Sysmon, or any Common Information Model compliant EDR technology
- Windows Security Event Log
- Windows System Event Log
- Windows PowerShell Script Block Logging
As an example, the analytic Windows Bypass UAC via Pkgmgr Tool identifies a potentially suspicious execution of the 'pkgmgr' process involving the use of an XML input file for package management.
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = pkgmgr.exe Processes.process = "*.xml*" NOT(Processes.parent_process_path IN("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "*:\\Program Files*")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bypass_uac_via_pkgmgr_tool_filter`
The Windows Modify Registry MaxConnectionPerServer analytic identifies a suspicious registry modification of Windows max connection per server configuration. By altering the max connection per server setting in the Windows registry, attackers can potentially increase the number of concurrent connections allowed to a remote server.
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server*") Registry.registry_value_data = "0x0000000a" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_maxconnectionperserver_filter`
The Windows Unsigned DLL Side-Loading analytic detects potentially malicious unsigned DLLs created in either the c:\windows\system32 or c:\windows\syswow64 folders.
`sysmon` EventCode=7 Signed=false OriginalFileName = "-" SignatureStatus="unavailable" ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name Computer EventCode ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_filter`
Overall, the Ave Maria (Warzone) RAT analytic story introduces 21 detections across MITRE ATT&CK techniques.
Non-hunting detections associated with this analytic story create entries in the Splunk Enterprise Security risk index by default and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. Additionally, the Automated Enrichment playbook pack also works well with the output of any of these analytics.
Moves the event status to open and then launches the Dispatch playbooks for Reputation Analysis, Attribute Lookup, and Related Tickets.
Detects available indicators and routes them to indicator reputation analysis playbooks. The output of the analysis will update any artifacts, tasks, and indicator tags.
Detects available entities and routes them to attribute lookup playbooks. The output of the playbooks will create new artifacts for any technologies that return information.
Detects available indicators and routes them to dispatch related ticket search playbooks. The output of the analysis will update any artifacts, tasks, and indicator tags.
Why You Should Care
This blog enables security analysts, blue teamers and Splunk customers to identify Ave Maria (Warzone) RAT malware by helping the community discover Ave Maria tactics, techniques and procedures that are being used by several threat actors and adversaries. By understanding its behaviors, the Splunk Threat Research Team was able to generate telemetry and datasets to develop and test Splunk detections designed to defend and respond against this threat.
Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.
We would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team for their contributions: Michael Haag, Mauricio Velazco, Lou Stella, Bhavin Patel, Rod Soto, Eric McGinnis, and Patrick Bareiss.