Author: Eric Patterson
Between 25 and 30 April, Infoblox observed a malspam campaign distributing the AveMaria remote access trojan (RAT). Threat actors used email subject lines written in Polish referencing payment confirmations to lure victims into downloading a malicious executable.
Infoblox has previously reported on AveMaria in April 2019 and December 2020.1,2
First reported in early 2019 by security firm Yoroi, AveMaria is an infostealer that threat actors deliver via document attachments in malicious spam campaigns.3
AveMaria is a modular RAT that allows its authors to customize its functionality as needed depending on the objectives of the campaign. However, its core functionality allows it to harvest credentials for installed email clients (e.g. Outlook), decrypt stored credentials in FireFox and transmit other sensitive information back to a command and control (C&C) server.
The threat actors behind this campaign are likely targeting Polish speaking countries and individuals, based on the primary language in the emails. The subject lures and attachments for this campaign, which are financially themed, are: Ponowne potwierdzenie płatności and Permintaan pesanan.exe. They translate from Polish to “Re: Payment Confirmation” and “Order Request.exe” respectively.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.