Author: Yadu Nadh
TLP: WHITE
Between 2 and 7 December, Infoblox observed a malicious email campaign distributing the AveMaria remote access trojan (RAT). In this campaign, threat actor(s) used subjects referencing text message logs to lure users into opening a malicious Rich Text Format (RTF) file attachment that was disguised as a Microsoft Word document (DOC).
We previously reported on an AveMaria campaign in April 2019 that used shipping lures and contained similar malicious DOC files.1
Cyber security company Yoroi first reported on AveMaria in early 2019.2 It is a RAT with information-stealing abilities and has often been distributed via malicious email campaigns. The malware’s other capabilities include communicating with a command and control (C&C) server, downloading and executing additional malware, bypassing Windows User Access Control (UAC), and others.
In this campaign, threat actor(s) sent emails with the subject line SMS Logs-Nov 2020. The body of the emails instructed the recipients to verify the payment that was sent.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–11
- https://yoroi.company/research/the-ave_maria-malware/
