Ave Maria

Malware

⚠️ Overview

Ave Maria, also tracked as Warzone RAT, is a commercial remote access trojan (RAT) first observed in 2018. It is sold as malware-as-a-service on underground forums and operated by threat actors including the group tracked as TA570 by Proofpoint. Ave Maria is categorized as a RAT with keylogging, credential theft, and screen capture capabilities.

🔧 Technical Capabilities

Ave Maria propagates via phishing emails containing malicious Microsoft Office documents or downloader executables. It establishes persistence through registry RUN keys and scheduled tasks. The RAT uses a custom C2 protocol over TCP port 443 or 80, often obfuscated with XOR encryption and base64 encoding. It performs process hollowing and injects into legitimate processes like svchost.exe or explorer.exe to evade detection. Ave Maria employs certificate stealing from browsers and FTP clients, and can capture keystrokes, clipboard data, and screenshots. It also includes a VNC module for remote desktop control (MITRE ATT&CK ID T1056).

📜 History & Notable Incidents

First reported by Check Point in 2018 as a variant of Warzone RAT, Ave Maria was used in targeted attacks against healthcare and education sectors throughout 2020-2022. In May 2022, the FBI and CISA issued a joint advisory (AA22-143A) warning of Ave Maria being delivered via phishing campaigns related to COVID-19 themes. No specific CVEs are associated with the RAT itself; it exploits CVE-2017-0199 and CVE-2018-0802 for Office document execution. Law enforcement arrested the alleged developer in Malta in February 2023, but the malware remains in active use.

🔍 Detection Indicators

Known IoCs include mutex names such as GlobalWZFS and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values like WindowsUpdate. Network indicators include HTTP POST requests to /gate.php or /g.php with User-Agent strings such as Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2). File hashes from recent campaigns (SHA256) include 7a2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2) – see CISA AA22-143A for full list.

☠️ Risk & Impact

Ave Maria enables full remote control, leading to data exfiltration of credentials, financial records, and intellectual property. It has been used in ransomware pre-positioning campaigns against healthcare providers, causing operational disruption and significant financial losses. Sectors most affected include healthcare, education, and manufacturing.

🛡️ Mitigation

Defenders should block phishing emails with malicious attachments, deploy endpoint detection rules for process hollowing (e.g., Sysmon Event ID 8), and enable AMSI in PowerShell. The CISA joint advisory recommends using network signatures for /gate.php requests and applying the latest Office patch for CVE-2017-0199.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.