{"id":7049,"date":"2021-10-12T13:14:02","date_gmt":"2021-10-12T20:14:02","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7049"},"modified":"2024-08-07T12:18:50","modified_gmt":"2024-08-07T19:18:50","slug":"fake-delivery-spam-email-drops-ave-maria-rat","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/fake-delivery-spam-email-drops-ave-maria-rat\/","title":{"rendered":"Fake Delivery Spam Email Drops Ave Maria RAT"},"content":{"rendered":"

Author: Nick Sundvall<\/strong><\/h3>\n

 <\/p>\n

1. Overview<\/h3>\n

On 5 and 6 October, Infoblox observed that a malspam campaign was distributing the remote access trojan (RAT) Ave Maria through a Microsoft Word file. The threat actors were using a DHL-themed lure to entice the targets into opening the malicious attachment. Ave Maria was first seen at the end of 2018,1<\/sup> and cybersecurity company Yoroi first reported on it at the beginning of 2019.2<\/sup> We have previously reported on Ave Maria campaigns in 20193<\/sup> and 2020.4<\/sup><\/p>\n

2. Customer impact<\/h3>\n

The malware\u2014dubbed Ave Maria due to a string in its code but marketed and sold as WARZONE RAT (the most basic version goes for as low as $22.95 a month)\u2014is capable of remotely controlling infected machines, exfiltrating stolen credentials and other information to a command and control (C&C) server, taking screenshots, controlling webcams, logging keystrokes, and more.<\/p>\n

The threat actors advertise regular updates to the malware, as well as a variety of exploits, to install the malware onto a victim\u2019s computer.<\/p>\n

3. Campaign analysis<\/h3>\n

The DHL-themed subject of the email, DHL NOTIFICATION: INV,PL AND BL<\/em>, and part of\u00a0 its body, Kindly confirm if the address is Correct in tracking page attached<\/em>, tried to lure the target into opening the malicious attachment.<\/p>\n

4. Attack chain<\/h3>\n

Opening the attached DHL_AWB_INV_PL_BL.doc launches an exploit of CVE-2017-11882: a vulnerability in Microsoft Equation Editor. The file then downloads and executes falcadhgy.exe, the Ave Maria payload. Ave Maria then connects to its C&C and sends it the stolen credentials.<\/p>\n

\"\"<\/p>\n

5. Vulnerabilities and mitigation<\/h3>\n

Because malspam emails are a common distribution method for malware, Infoblox recommends the following precautions used to avoid malspam attacks:<\/p>\n