{"id":6293,"date":"2021-05-03T14:36:39","date_gmt":"2021-05-03T21:36:39","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6293"},"modified":"2024-04-26T13:20:43","modified_gmt":"2024-04-26T20:20:43","slug":"polish-language-malspam-campaign-delivers-avemaria-infostealer","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/polish-language-malspam-campaign-delivers-avemaria-infostealer\/","title":{"rendered":"Polish Language Malspam Campaign Delivers AveMaria Infostealer"},"content":{"rendered":"

Author: Eric Patterson<\/strong><\/h3>\n

TLP: WHITE<\/strong><\/h3>\n

 <\/p>\n

Overview<\/h3>\n

Between 25 and 30 April, Infoblox observed a malspam campaign distributing the AveMaria remote access trojan (RAT). Threat actors used email subject lines written in Polish referencing payment confirmations to lure victims into downloading a malicious executable.<\/p>\n

Infoblox has previously reported on AveMaria in April 2019 and December 2020.1<\/sup>,<\/sup>2<\/sup><\/p>\n

Customer Impact<\/h3>\n

First reported in early 2019 by security firm Yoroi, AveMaria is an infostealer that threat actors deliver via document attachments in malicious spam campaigns.3<\/sup><\/p>\n

AveMaria is a modular RAT that allows its authors to customize its functionality as needed depending on the objectives of the campaign. However, its core functionality allows it to harvest credentials for installed email clients (e.g. Outlook), decrypt stored credentials in FireFox and transmit other sensitive information back to a command and control (C&C) server.<\/p>\n

Campaign Analysis<\/h3>\n

The threat actors behind this campaign are likely targeting Polish speaking countries and individuals, based on the primary language in the emails. The subject lures and attachments for this campaign, which are financially themed, are: Ponowne potwierdzenie p\u0142atno\u015b<\/em>ci and Permintaan pesanan.exe<\/em>. They translate from Polish to \u201cRe: Payment Confirmation\u201d and \u201cOrder Request.exe\u201d respectively.<\/p>\n

Attack Chain<\/h3>\n

When the victim downloads and opens the attached executable, the malware performs a series of generic actions like capturing system information, copying the contents of the clipboard and taking screen captures. <\/p>\n

AveMaria then attempts to download stored credentials from Google Chrome and Mozilla Firefox, as well as checks for the presence of Microsoft Outlook. It also attempts to steal email-related usernames and passwords.<\/p>\n

AveMari transmits the information it acquires to its C&C server over a non-standard port.<\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

Malicious spam attachments that exploit a known vulnerability are the primary infection vectors for AveMaria. Infoblox recommends the following actions to reduce the risk of this type of infection:<\/p>\n