Defending the Gates: Understanding and Detecting Ave Maria (Warzone) RAT

Ave Maria RAT (remote access trojan), also known as “Warzone RAT,” is a malware that gains unauthorized access or remote control over a victim’s or targeted computer system. This RAT operates stealthily and grants attackers access to various functionalities within the compromised system. Its malicious activity includes data theft, privilege escalation, remote desktop control, email credential collections, browser credential parsing and more.

This malicious RAT was first observed being spread through a malicious phishing campaign in 2018 and is still active now. Aside from that, it is also a known tool of several APT groups to compromise or gain control of a targeted host. In February 2023, Zscaler shared a blog regarding the Ave Maria tactics and techniques — especially its distribution strategy.

This blog post provides a deep-dive analysis of this threat, including:

• Initial Access (CVE-2017-11882)
• Modify Registry
• Persistence
• UAC Bypass
• Impair Defense like Windows Defender
• Mark-Of-The-Web Bypass
• Command and Script Interpreter
• Process Injection
• System Information Discovery
• Keylogging
• Other Backdoor Capabilities

The VT diagram presented below vividly illustrates a malicious phishing campaign orchestrated by the Ave Maria RAT malware. This campaign encompasses an exploited .rtf file, strategically designed to initiate the download of the authentic RAT onto the compromised host.

^{(For a larger resolution of this diagram visit this link)}

The following section explores Ave Maria tactics, techniques and its capabilities to compromise a targeted host or system.

Initial Access

Ave Maria (Warzone) RAT is notorious for distributing spam email campaigns to disseminate its malware. These spam emails are cleverly crafted to include a malicious attachment, which takes advantage of CVE-2017-11882, a vulnerability in Microsoft Equation Editor, to infect unsuspecting victims' systems.

^{Figure 1. Ave Maria RAT spam email}

With the utilization of this exploit, the crafted malicious MS document or RTF file executes a shellcode responsible for downloading the actual Ave Maria RAT onto the targeted or compromised host. 

Figure 2 shows the screenshots of the shellcode that tries to download the Ave Maria RAT using UrlDownloadToFileW () API.

^{Figure 2. Exploit Shellcode}

After successfully downloading the malicious RAT, it promptly initiates its execution, allowing it to carry out its intended malicious activities. 

Modify Registry 

First it will install an EventObject that will serve as mutex to make sure only one instance of its malware code is running in the compromised host. By default, the number of simultaneous downloads from a web server is only 2. In this case, Ave Maria RAT tweaked the registry to increase the number of downloads to 10 or allow multiple connections to a single server.

Figure 3 shows the code snippet of the this malware that modifies the Internet Settings registry to gain concurrent connections allowed in a single server.

^{Figure 3. MaxConnectionPerServer registry modification}

Bypass User Account Control

The malware leverages the RtlGetVersion() API to determine the operating system version of the compromised host. By inspecting the OS Major Version, specifically checking if it is 10, the malware can identify whether the host is running Windows 10 or Windows Server 2016.

If the OS version condition is satisfied, it will try to bypass the User Account Control feature of Windows Operating System by creating a registry entry to “HKCU\Software\Classes\Folder\shell\open\command\” with the file path of its malware executable then run sdclt.exe that will execute the malware entry in the registry.

^{Figure 4. UAC Bypassed via sdclt.exe}

Impair Defense

The malware includes a function designed to evade security tools like Windows Defender using PowerShell. It achieves this by adding its malware file path to the Windows Defender ExclusionPath. In Figure 5, a screenshot displays the function responsible for initializing and executing the PowerShell command, ensuring that the malware's path remains excluded from scanning by Windows Defender.

^{Figure 5. ExclusionPath command for its malware file path}

Mark-of-the-Web Bypass

Ave Maria RAT also subverted mark-of-the-web (MOTW) controls. In Windows Operating System, when files are downloaded from the internet, they are tagged with a “Zone.Identifier” Alternate Data Stream. 

Files that are tagged with MOTW are protected and cannot perform certain actions. In this scenario, this malware tries to delete that alternate data stream to run its downloaded files without restrictions or protections.

^{Figure 6. Delete Zone.Identifier Alternate Data Stream}

Command and Scripting Interpreter

Ave Maria RAT will drop a copy of itself in %appdata% then it will also drop a batch script named as “program.bat” that can create a process via WMI command-line (WMIC). Figure 7 shows the construction of the batch script relative to its copy of itself.

^{Figure 7. Batch Script Execution}

Process Injection

One of the malware's techniques is code injection. If the current running process is on a 64-bit architecture, it initiates a cmd.exe process and injects its code. Otherwise, it searches for the explorer.exe process to inject its code and subsequently executes it using the CreateRemoteThread() API.

^{Figure 7.Process Injection}

Persistence

During its installation, the malware creates a registry run key that enables automatic execution of its code upon each machine reboot. This technique involves utilizing the well-known registry run key located at:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Within this malicious RAT lies a range of backdoor capabilities designed to execute additional payloads and exfiltrate information from the compromised host. The following sections delve into the noteworthy techniques that the Splunk Threat Research Team (STRT) analyzed that pertain to its backdoor functionalities.

System Information Discovery

One of its backdoor functionalities is to collect system information such as machine GUID, OS version, user name, computer name, token information, CPU architecture, memory information and more. This information will be encrypted and sent to its C2 server.

^{Figure 7. SysInfo Discovery}

Credentials in Registry

The capabilities of Ave Maria RAT extend to searching the registry on compromised hosts or systems for insecurely stored credentials. Specifically, it targets the registry entries associated with the unique Microsoft Outlook profile to extract the following sensitive information:

• Email
• Account Name
• POP3 Server 
• POP3 User 
• SMTP Server
• POP3 password
• SMTP password
• HTTP password 
• IMAP password

^{Figure 8. Outlook Profile Registry Query}

Keylogging

Input capture or keylogging serves as another backdoor capability, enabling the malware to log user keystrokes and intercept credentials as the user types on the compromised host. To implement this technique, the malware hooks API callbacks responsible for processing keystrokes in the Windows OS.

The keystroke log by this malware is saved in “%appdata%\Microsoft Vision\ '' folder path with filename format based on the date and time that file was created.

File name format: dd-mm-yy_hh.mm.ss
             E.g: %appdata%\Microsoft Vision\11.11.23_11.11.11  

^{Figure 9. Keylogging}

Credentials from Web Browsers

Similar to other remote access trojans (RATs) and Trojan Stealers, this malware possesses the ability to acquire credentials stored in web browsers. It achieves this by reading files or databases specific to the targeted browser that contain encrypted credentials, which it then decrypts to extract the plaintext credentials.

^{Figure 10. Acquire Browser Credentials}

Below is a list of targeted browsers from which it attempts to extract credentials:

• Chrome
• Epic Privacy Browser
• Microsoft Edge
• UCBrowser
• QQBrowser
• Opera
• Blisk
• Chromium
• Brave-Browser
• Vivaldi
• Comodo
• Torch
• Slimjet
• CentBrowser
• Firefox

Other backdoor capabilities found during our analysis are:

• Download and execute payload
• Get logical drive type
• Parse fox mail credentials
• Search for files
• List files
• Terminate a process
• Process list
• Shell execute command
• Ping sleep command
• Delete a file
• Create Special Account 
• Reverse shell
• Reverse proxy

Detections

The Splunk Threat Research Team has curated relevant detections and tagged them to the Ave Maria(Warzone) RAT Analytic Story to help security analysts detect adversaries leveraging the malware. 

This release used and considered the relevant data endpoint telemetry sources such as:

• Process Execution & Command Line Logging
• Windows Security SACL Event ID, Sysmon, or any Common Information Model compliant EDR technology
• Windows Security Event Log
• Windows System Event Log
• Windows PowerShell Script Block Logging 

As an example, the analytic Windows Bypass UAC via Pkgmgr Tool identifies a potentially suspicious execution of the 'pkgmgr' process involving the use of an XML input file for package management. 

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
  where  Processes.process_name = pkgmgr.exe Processes.process = "*.xml*" NOT(Processes.parent_process_path IN("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*",
"*:\\Program Files*"))
  by Processes.dest Processes.user Processes.parent_process_name
Processes.parent_process_path Processes.process_name Processes.process
Processes.process_id
Processes.parent_process_id Processes.original_file_name 
 | `drop_dm_object_name(Processes)` 
 | `security_content_ctime(firstTime)` 
 | `security_content_ctime(lastTime)` 
 | `windows_bypass_uac_via_pkgmgr_tool_filter`

The Windows Modify Registry MaxConnectionPerServer analytic identifies a suspicious registry modification of Windows max connection per server configuration. By altering the max connection per server setting in the Windows registry, attackers can potentially increase the number of concurrent connections allowed to a remote server.

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
  where (Registry.registry_path=
"*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\MaxConnectionsPerServer*" OR Registry.registry_path=
"*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\MaxConnectionsPer1_0Server*")  Registry.registry_value_data = "0x0000000a" by
Registry.registry_key_name Registry.user Registry.registry_path
Registry.registry_value_data Registry.action Registry.dest 
  | `drop_dm_object_name(Registry)` 
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 
  | `windows_modify_registry_maxconnectionperserver_filter`

The Windows Unsigned DLL Side-Loading analytic detects potentially malicious unsigned DLLs created in either the c:\windows\system32 or c:\windows\syswow64 folders. 

`sysmon` EventCode=7 Signed=false OriginalFileName = "-" SignatureStatus="unavailable" ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*") 
  | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name Computer EventCode ProcessId Hashes IMPHASH 
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 
  | `windows_unsigned_dll_side_loading_filter`

Overall, the Ave Maria (Warzone) RAT analytic story introduces 21 detections across MITRE ATT&CK techniques. 

Playbooks

Non-hunting detections associated with this analytic story create entries in the Splunk Enterprise Security risk index by default and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. Additionally, the Automated Enrichment playbook pack also works well with the output of any of these analytics.

Why You Should Care

This blog enables security analysts, blue teamers and Splunk customers to identify Ave Maria (Warzone) RAT malware by helping the community discover Ave Maria tactics, techniques and procedures that are being used by several threat actors and adversaries. By understanding its behaviors, the Splunk Threat Research Team was able to generate telemetry and datasets to develop and test Splunk detections designed to defend and respond against this threat.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update. 

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team for their contributions: Michael Haag, Mauricio Velazco, Lou Stella, Bhavin Patel, Rod Soto, Eric McGinnis, and Patrick Bareiss.