Ave Maria

Ave Maria is a piece of malware, which was uncovered by cybersecurity researchers rather recently. It was first spotted back in January 2019 when several Italian companies were selected by the Ave Maria malware. All the companies were in the energy sector, namely dealing with gas and oil. Employees of these corporations were targeted via a phishing email campaign. The emails sent to the people working in the targeted companies contained attached Microsoft Office files macro-laced with a script that executes a series of PowerShell commands that aim to deploy Ave Maria's payload and gain persistence. The Ave Maria malware would exploit a vulnerability in the Microsoft Office Service Pack called 2017-11882. Through this vulnerability, the attacker can remotely download and execute .exe files on the system that has been infiltrated.

The fact that high-profile companies like the ones targeted in Italy would come to show us that the attackers are likely after some sensitive data that they can extract. This is what the Ave Maria malware is built for. This cunning malware is capable of collecting Web browser passwords. It can even gather passwords from Mozilla Firefox, which are encrypted and decrypt them. While in previous campaigns the authors of the Ave Maria malware used the AutoIt scripting language to execute the deployment and initialization of their product, now they have opted for an alternative route that relies on a complicated multi-stage attack that may enable them to dodge the detection of some anti-virus products.

The Ave Maria malware was employed again recently. The attackers used the tried and tested method of launching a phishing email campaign. This time, however, the creators of the Ave Maria malware have chosen a different method of infection. They use a combination of VBScript, PowerShell commands, and obfuscated code hosted on a public text storing service to execute the attack. PowerShell extracts information from a popular website that stores text. Next, the obfuscated data is decoded, and this triggers the process responsible for the execution of the Ave Maria.

When the Ave Maria malware is deployed, it will use a vulnerability in the Windows Component called PkgMgr. Exploiting this vulnerability lets Ave Maria go through the UAC (User Account Controls) uninterrupted, which means that the creators of the malware would have access to sensitive data, which they can collect easily. Once again, the Ave Maria malware targets sensitive information stored in Mozilla Firefox, as well as any email applications that may be installed on the system.

The Ave Maria malware is threatening particularly, and companies need to employ and maintain a high-quality anti-malware suite to keep threats like this away from their servers.