The latest investigation revealed that the AveMaria infostealer had changed its strategies to infect more users. Based on reports, the operators of this infostealer have adopted changes and employed new TTPs to increase the efficiency of AveMaria campaigns.
Researchers claimed that the operators of this infostealer have started making changes for almost half a year by adding execution stages to spread to more targets. Moreover, most of these attacks from the threat actors were executed by them through phishing emails.
The phishing emails distributed by the operators contained an ISO file attachment and three decoy documents with four shortcut files. The primary target of this phishing campaign is Ukrainian officials.
The AveMaria infostealer has made its presence felt throughout the last quarter of 2022.
In September last year, the AveMaria infostealer operators used VBScript and DLL injection tactics during their execution stages to bypass security solutions. The campaign targeted individuals from Serbia by requesting them to update their login credentials for accessing their government e-ID portal.
The following month, the group dropped their payload through AUloader. Their new campaign used a highly obfuscated Autoit interpreter and Autoit script to decrypt the AveMaria binary in memory and run the payload.
Furthermore, in December, the researchers identified two variants of the AveMaria attack chain, which utilised the Virtual Hard Disk file format to drop the malicious downloader. They also leveraged the type casting or type conversion mechanisms to alter the values at the bit level and drop a [.]vhd file as the initial payload.
Cybersecurity experts claimed that the AveMaria malware developers are constantly maintaining the malware and updating their mechanics and phases of execution with new TTPs to avoid getting detected by security defenders.
Additionally, the actors change the malware distribution feature monthly to apply their payload even if they get flagged by security solutions.
Organisations should adopt a better email security solution to minimise the chances of infection by these attacks since the primary vector of its operation is phishing emails. Lastly, organisations should train employees to spot such attacks to thwart these threats.
