The ASEC analysis team has discovered the distribution of malware disguised as a V3 Lite icon and packed with the .NET packer. The attacker likely created an icon that is almost identical to that of V3 Lite to trick the user, and AveMaria RAT and AgentTesla were discovered during the last month using this method.
As shown in Figure 1, the icon looks almost identical to the actual V3 Lite icon.
AveMaria is a RAT (Remote Administration Tool) malware with remote control features that receives commands from the C&C server and performs a variety of malicious behaviors. It is usually distributed in the .NET packer form like AgentTesla, Lokibot, and Formbook to bypass anti-malware detection.
Although the original name of AveMaria is WARZONE RAT, it sends the “AVE_MARIA” string for authentication when performing a proxy connection with the C2 server, thereyby also known as AveMaria.
Additional features of the malware and the analysis information of its binary can be found in the AhnLab TIP Portal’s detailed analysis report and ASEC blog post.
While the malware is operating, winSAT.exe (Windows System Assessment Tool) and a command for UAC privilege escalation using the winmm.dll file were found, which were explained in the previous blog.
When the malware is run, it deliberately causes a delay with timeout.exe. It then performs additional malicious behaviors by injecting a malicious binary into a normal Windows process named RegAsm.exe. Figure 4 shows the malicious binary inside the process.
Besides AveMaria, the distribution of AgentTesla was also found. AgentTesla is an info-stealer that leaks user information saved in web browsers, emails, and FTP clients. It is one of the most prolific malware in terms of distribution, being constantly ranked high in the ASEC Weekly Malware Statistics.
Upon using AhnLab’s infrastructure to check the related malicious files that use V3 Lite icon, it was found that the distribution is done actively. Most of such malicious files are distributed through attachments of phishing emails.
At the basic level, users should refrain from opening attachments in emails from unknown sources and update the anti-malware program to the latest version to prevent malware infection in advance.
AhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
[…] READ FULL ARTICLE […]
[…] Malware Being Distributed as .NET Malware Being Distributed by Disguising Itself as Icon of V3 Lite AsyncRAT Being Distributed in Fileless Form AgentTesla Being Distributed Through Windows Help […]