The cyber threat landscape has lately seen traction in the use of info-stealers among cybercriminals. One such info-stealer, dubbed AveMaria, has been changing tactics to infect more users. Researchers from Zscaler have provided an in-depth analysis of the changes adopted and new tactics, techniques, and procedures that characterize an AveMaria attack.
Recent observations
Over the past six months, the operators behind the info-stealer have been making significant additions to the execution stages to infect more users.
Most of these attacks were initiated via phishing emails and the first one was first identified in August 2022.
The phishing emails included an ISO file attachment, along with three decoy documents and four shortcut files, and were used to target the Ukrainian officials.
AveMaria’s previous occurrences
In December 2022, experts uncovered two versions AveMaria attack chain that leveraged the Virtual Hard Disk file format to drop the malicious downloader. While adversaries used a malicious .vhdx file to download the malware in one scenario, they leveraged the type casting or type conversion mechanisms (to manipulate the values at the bit level) and dropped a .vhd file as the initial payload.
In October 2022, the malicious payload was dropped via AUloader. The phishing campaign leveraged a highly obfuscated Autoit script and Autoit interpreter to decrypt the AveMaria binary in memory and then execute the payload.
In September 2022, VBscript and DLL injection techniques were used during the execution stages to evade detection. The campaign targeted Serbian users by requesting them to update their login credentials for access to the government e-identification portal.
What does this indicate?
Researchers highlight that developers of the AveMaria malware are actively maintaining the malware and updating the phases and stages of execution with new tactics to evade detection.
The changes to the malware distribution mechanisms were updated monthly so that even if one mechanism was flagged by security operators the other can still be applied effectively.
Conclusion
Since these attacks primarily originated from phishing emails, organizations are advised to have a better email security solution in place to thwart such threats in the initial stages. Moreover, they can refer to the IOCs provided by Zscaler to understand the full scope of the attack chains.