Torna il virus Ave Maria: perché è pericoloso e come difendersi

Il nome di questo virus non ha nulla a che fare con il suo comportamento: Ave Maria è un pericoloso malware "infostealer" in grado di sottrarre dati sensibili agli utenti.

Nell’ultima settimana i ricercatori di cybersecurity italiani hanno visto riapparire una loro vecchia conoscenza: il malware Ave Maria. Dietro questo nome curioso si nasconde un virus di tipo “infostealer“, parecchio pericoloso, che non si vedeva girare da diversi mesi. A malware able to steal many sensitive data from the attacked devices.

According to what has been reported by the Italian electronic security company D3Lab, which collaborates with the Computer Emergency Response Team of the Agency for Digital Italy (Cert-Agid) that belongs to the Presidency of the Council of Ministers, a new phishing campaign is underway aimed at spreading this virus again in Italy about two years after its first appearance. Malware, unfortunately, never gets old and is constantly updated in order to make it more difficult to detect and more effective in its potential. The same could have happened with Ave Maria as well, and the fact that it is circulating again is not good news.

Why is the virus called Ave Maria

Before we continue with the analysis of Ave Maria malware and explain why it is so dangerous, we have to answer the question that most of our readers are probably already asking: why is this virus called "Ave Maria"?

The answer is simple: "AVE_MARIA" is the string that the malware sends from the infected device to the control server to communicate the fact that it has managed to enter the device and that it can send further instructions, commands and other dangerous codes to be executed.

A communication procedure common to all modern malware, which, in order not to be discovered, starts the infection with a bare bones code and then contacts its "C2" (Command and Control) server to get the rest of the infected material sent to it. Usually the message is "HELLO", in this case it is "AVE_MARIA".

Why the Ave Maria virus is dangerous

The Ave Maria virus became quite notorious in Italy at the turn of late 2018 and early 2019, when an Italian oil company (whose name has never been revealed) was hit by this "infostealer" that entered its computer systems via a classic phishing email: some of the employees took the bait and the infection began.

The dangerous thing about Ave Maria is that it is capable of decrypting the encryption used by browsers to protect the credentials of websites and accounts entered by users during their daily surfing. As a result, this virus is capable of stealing an endless amount of users' sensitive data, even going so far as to take possession of their online accounts.

How to defend yourself against Ave Maria

It is still unclear whether the Ave Maria virus that is again circulating in Italy is still the same one, which is already known to antivirus software, or it has been modified in order to make it invisible to the cybersecurity software normally used by ordinary web users.

It is certain, however, that Ave Maria is still being delivered via a fairly elaborate and credible phishing email. The infection to the Oil&Gas company last year, for example, started from a fake email that seemed to come from the sales department of one of the company's suppliers and contained an infected Excel file.

The first rule to defend against Ave Maria, therefore, is to defend against phishing itself: you have to be very careful with all the emails you receive, check the sender well and be very careful with the attachments. The second rule is to use an up-to-date antivirus which, in principle, should be able to intercept any attempt of infection by Ave Maria malware.