Exploiting an Unpatched Vulnerability, the Ave_Maria Malware Is Not Full of Grace
CofenseTM has seen a rise in phishing campaigns designed to deliver a type of stealer malware called Ave_Maria. It contains a capability, DLL hijacking, that uses a vulnerability with no forthcoming fix. With origins in a publicly available utility, DLL lets Ave_Maria gain greater admin privileges and avoid detection, then steal information so it can download additional plugins and potentially other payloads. This malware can bypass detection and privilege restrictions on many endpoints.
Using publicly available utilities to exploit unpatched vulnerabilities—threat actors are upping the ante as the year begins. One smart way to prevent phishing threats from appearing on endpoints: educate employees to spot and report suspicious messages.
Cofense IntelligenceTM has seen an increase in Ave_Maria Stealer phishing campaigns. Ave_Maria Stealer is a modular information stealing malware family that attempts to elevate its privileges and avoid detection by using DLL hijacking and COM objects. Once Ave_Maria Stealer has achieved privilege escalation, it steals locally stored information and begins downloading additional plugins and potentially acting as an intermediate downloader for additional payloads.
Windows uses privilege levels to control access to its functions, from local system operations to network infrastructure access. With escalated privileges, a process can act as if it has administrative access, allowing it to modify system settings, gather information about the local system, and access otherwise hidden or protected files. A user or process with sufficient privileges is also able to access local network infrastructure and, in some cases, to access other computers on the network. This type of access to information and files makes privilege escalation a target for almost all threat actors.
The privilege escalation techniques used by Ave_Maria Stealer originate with the publicly available UACME utility that uses a form of DLL hijacking. Despite being a well-known and documented exploit, there is no clear evidence of a fix being issued for DLL hijacking or that the vulnerability has been addressed. This method of privilege escalation by DLL hijacking takes advantage of pkgmgr.exe—a legitimate whitelisted application that automatically runs with elevated privileges.
As shown in Figure 1, pkgmgr.exe is used to run DISM via dism.exe, which attempts to load a normally non-existent DismCore.dll from C:\Windows\SysWOW64\, or the equivalent C:\Windows\System32\ on 32 bit versions of Windows, before loading the correct .dll from C:\Windows\SysWOW64\Dism\DismCore.dll. Although the file ellocnak.xml shown in Figure 1 contains information used by dism.exe, the contents of the file are not directly used by the privilege elevation utility and are primarily used to ensure that the correct .dll is used.
Figure 1 – pkgmgr.exe API Call Used to Run dism.exe
The privilege elevation utility takes advantage of the attempted loading of a normally non-existent .dll by dropping a malicious DLL to C:\Windows\SysWOW64\dismcore.dll, seen in the bottom of Figure 2, which is loaded by dism.exe and consequentially by a pkgmgr.exe with elevated privileges.
Figure 2 – Correct DLL Location Compared to Malicious DLL Location
This enables the malicious DLL to run with elevated privileges and finally re-launches an Ave_Maria Stealer binary.
Despite the use of an advanced privilege escalation utility, certain parts of the malware still appear to be in a testing phase of sorts. When the privilege escalation utility portion of Ave_Maria stealer is run as an administrator, the simplistic error message seen in Figure 3 appears and when the user clicks “OK” the program terminates without taking further action.
Once Ave_Maria Stealer is in place and has elevated privileges, it attempts to perform some basic information stealing activities, targeting saved credentials for Google Chrome, Thunderbird, Microsoft Outlook, and other applications. It then exfiltrates some basic information, including the user name, before attempting to download an executable used for further information stealing.
Ave_Maria Stealer’s use of a privilege elevation utility and multiple embedded binaries enables it to bypass detection and privilege restrictions on many endpoints. Threat actor usage of publicly available utilities that exploit known unpatched vulnerabilities highlights how security challenges are constantly evolving—and how preventative measures are not always able to keep up.
To stay in front of emerging phishing and malware threats, sign up for free Cofense Threat Alerts.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.