Cybersecurity researchers have managed to uncover a malicious spam email campaign delivering weaponized file attachments. The lure emails of the operation were presented to users as important notifications about a recent payment report. The messages tried to pass themselves as being sent from reputable sources. The attached Excel Add-In (.xlam) file, however, contains malicious macros that are triggered upon execution. The goal of the attackers is to deliver three fileless RAT (Remote Access Trojans) threats - AveMariaRAT, PandorahVNC RAT, and BitRAT, to the victim's device. Details about the initial infection vector and the delivered threats were revealed to the public in a security report by Fortinet.
The AveMariaRAT threat is potent malware that allows threat actors to establish control over the breached device and perform numerous intrusive actions. It is the first of the three identified RAT threats to be dropped on the victim's machine by being injected into a freshly-created process named 'aspnet_compiler.exe.' The threat is equipped with several switch flags that can modify whether it adds itself to the auto-run group, tries to bypass the Windows' UAC (User Account Control), or circumvent Windows Defender.
AveMaria establishes a connection with a Command-and-Control (C2, C&C) server with the communication between the two being RC4 encrypted. Once it has been fully established on the system, the RAT provides numerous options to its operators. The threat actors can activate remote shell, remote VNC (Virtual Network Computing), manipulate the file system, control the webcam, activate a remote keylogger routine, escalate their privileges on the device, and more.
AveMariaRAT's Password Manager feature can try to steal account credentials from a wide range of targeted apps including popular web browsers such as Chrome, Edge, Epic Privacy browser, Tencent QQBrowser, Opera, Brave, Vivaldi, and more. In addition, it can impact various email clients including MS Outlook, Microsoft Messaging, Tencent Foxmail, etc.