AveMaria / WarzoneRAT (also known as AveMaria, WarzoneRAT) is a C++/.NET-based remote access trojan active since 2018. Commercial .NET RAT. Key capabilities include: UAC bypass, webcam, reverse proxy, HRDP, password recovery, $38/month MaaS.
Overview & Background
Commercial .NET RAT. First observed in 2018, AveMaria is attributed to eCrime (MaaS), seized by FBI 2024. The malware is written in C++/.NET and provides operators with comprehensive remote access capabilities.
AveMaria continues to be actively distributed and used in campaigns targeting organizations worldwide. Its capabilities include: UAC bypass, webcam, reverse proxy, HRDP, password recovery, $38/month MaaS.
- Language: C++/.NET
- Active since: 2018
- Attribution: eCrime (MaaS), seized by FBI 2024
- Also known as: AveMaria, WarzoneRAT
Technical Capabilities
- Uac Bypass: Core AveMaria capability T1059
- Webcam: Core AveMaria capability T1059
- Reverse Proxy: Core AveMaria capability T1059
- Hrdp: Core AveMaria capability T1059
- Password Recovery: Core AveMaria capability T1059
- $38/Month Maas: Core AveMaria capability T1059
Distribution Methods
AveMaria is typically distributed through phishing emails with malicious attachments, cracked software downloads, and malvertising campaigns. Common delivery mechanisms include Office macros, ISO/IMG containers, and script-based downloaders.
- Phishing emails: Malicious attachments and links T1566.001
- Malvertising: SEO poisoning and malicious ads T1189
- Cracked software: Bundled with pirated applications
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1566.001 Phishing Attachment | Malicious email attachments |
| Execution | T1204.002 Malicious File | User executes RAT payload |
| Persistence | T1547.001 Registry Run Keys | Autostart persistence |
| Defense Evasion | T1027 Obfuscated Files | Payload obfuscation |
| Credential Access | T1056.001 Keylogging | Keystroke capture |
| Collection | T1113 Screen Capture | Screenshot collection |
| Collection | T1125 Video Capture | Webcam access |
| C2 | T1071.001 Web Protocols | HTTP/HTTPS C2 communication |
Detection & Defense
- Endpoint detection: Monitor for C++/.NET processes with network connections from unusual locations
- Network monitoring: Detect C2 traffic patterns associated with AveMaria
- Email security: Block malicious attachments and links in phishing campaigns
- Application whitelisting: Restrict execution of unauthorized binaries
- YARA rules: Deploy detection signatures for known AveMaria variants
Protect Against Remote Access Trojans
Mjolnir Security provides comprehensive detection and response capabilities against AveMaria and similar RAT threats.
- RAT Detection & Removal Identify and remediate AveMaria infections including persistence mechanisms and lateral movement artifacts.
- Threat Intelligence Continuous monitoring for AveMaria campaigns and infrastructure targeting your organization.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts