AveMariaRAT Distributed in Phishing Campaign

Security researchers with FortiGuard Labs tracked a new phishing campaign that was distributing several strains of fileless malware, among which was also one called AveMariaRAT.

The campaign spreading AveMariaRAT uses fake documents, usually posing as payment reports, attached to malicious mail. The attack chain is fairly complex, involving macros, JavaScript contained in a HTML file and PowerShell.

The AveMariaRAT, sometimes also referred to as WARZONE RAT, is one of the several types of fileless malware distributed in the campaign. The toolkit AveMariaRAT has at its disposal is formidable and includes the ability to escalate privileges, remotely control the system and exfiltrate sensitive information from the target system.

Once deployed on the target system AveMariaRAT allows remote shell execution, access to file explorer and the process manager, downloading and executing files, keylogging and webcam remote control.

Along with AveMariaRAT, two other fileless RATs are distributed in the same phishing campaign. One of them is the PandorahVNC RAT, the other is named BitRAT. BitRAT is the most versatile of the bunch, with a reported massive 172 commands available to its operators.

June 2, 2022