Internals of AVE_MARIA Spyware
Spyware targeting India & Pakistan with India-Pakistan Conflict Propaganda.
Recently research from the Lookout is being shown targeting of Indians and Pakistanis is been being done Pro-India APT group known as “Confucius”. More of the propaganda is being spread against Muslims by these APT group and targeting is also being to Muslims as ZDNET and Lookout Research. It’s a stealthy stealing malware moreover as like a spyware.
Static and Dynamic Analysis
Static Analysis (Advanced)
Starting off with the exports of AVE_MARIA malware which is one which is “DllEntryPoint”.Export of AVE_MARIA malware.
So, let’s dig-in.
It’s the DllEntryPoint function for this executable which create thread using CreateThread() of Main function.
It’s the main function of AVE_MARIA malware which consists of following functions that does heap operations and Anti VM/Analysis job and scrambling and Communications with command and control server (aka C&C/C2) using functions like GetStartupInfoA(), callr_of_heap_ops(), scrambling, anti_heap_scrambling_bufr_C2_comm().
It’s the function in which buffer of victim system is filled up with zeros using fill_up_bufr_with_zeros/fill_up_bufr_with_zeros_1, then the GetModuleFileName() is called to get Module file name, and then after file_ops() is done. Then after anti_analysis() is being deployed for applying Anti_analysis for making Analysts job difficult to analyse malware then after that v5 is used for storing “heap_ops_1” and then it is transferred to v6 which then become as pointer and is being incremented and given a value of 0 and pre-decrement of v4 is done in same do-while loop, for which while condition argument is itself v4. Then the Event is being created using CreateEventA() function and passed to hObject. As we move further in code of this function, if condition is being run and with parameter as “ GetLastError()!=183 " and another if conditional check is being performed having argument as hObject and as the RegCreateKeyExA() is used for Creating the registry key in HKEY_CURRENT_USER as “Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings” and some values are set as of registry just after it with the help of RegSetValueExA() and RegCloseKey() is used for closing registry key. Then after that unpacking of another payload for exploitation of victim system will happen with some more file ops.
Basically this function performs the file operations on victim system using CreatFileA(), GetFileSize(), ReadFile() and CloseHandle().
This function is used for anti analysis purpose for analyst.
This function unpacks the another payload on the victim system.
This is the function called in previous function which unpacks the payload in the victim system memory.
In this module, unpacking happens with allocation_unpacking_ops and function that makes communications with command and control server (aka C&C/C2), also the proxies for the communication with C2 is been setup using set_proxie_for_C2_comm() function.
This module of AVE_MARIA malware does the communications with C2.
This function setup the proxies for communications for C2.
The encryption algorithm that is being used by this malware is RC4.
This is function that performs RC4 based encryption on data and creates sbox and scrambling and heap operations.Thankyou for reading.
This module creates substitution box and scramble up data using RC4 algorithm.
This malware uses the anti-debugging techniques to its core so it can’t be debugged easily.
Indicators of Compromise(IOCs) and Detections
Network [ C2 Communications]
72[.]21[.]81[.]240 & 108[.]62[.]12[.]210
Att&ck Mitre Techniques
Sample from Report
YARA Signature<a href="https://medium.com/media/00b185536cf7d35da72ca7c04d985f07/href">https://medium.com/media/00b185536cf7d35da72ca7c04d985f07/href</a>
From Lookout Research Blog:
From ZDNet Research Blog:
Thankyou for reading.