Cyber Incident Victim: Eni S.p.A.

In mid-December 2018, a phishing campaign targeted an Italian organization in the Oil & Gas sector, later confirmed through industry context to be Eni S.p.A. Attackers sent emails impersonating a supplier's sales office, attaching malicious Excel files disguised as invoices and shipping confirmations. These documents exploited CVE-2017-11882, a known Microsoft Office vulnerability, to download and execute a malicious executable from compromised websites. The operational infrastructure supporting this campaign was short-lived, with domains like sentinelx[.tk and xinchingho[.ml active only during the critical infection window in mid-December. The initial payload was delivered via a WinRAR self-extracting archive (SFX) configured to unpack contents into the %TEMP%\04505187 directory while displaying a decoy icon of VOCALOID character Kagamine Rin. Archive timestamps indicated weaponization on December 13, 2018, at 22:56 UTC, aligning with the attackers' domain activation period.

The SFX archive contained three critical components: a legitimate AutoIt interpreter (xfi.exe), an obfuscated AutoIt script (hbx=lbl), and a configuration file (uaf.icm) structured as an INI file. Execution followed a multi-stage process where the first script generated a second randomly named script (e.g., ZZQLZ) using encoded data from uaf.icm's [sData] and [esData] sections. This secondary script incorporated anti-analysis checks, terminating execution if virtualization processes like VirtualBox were detected. Its primary function involved decrypting the final payload embedded between [Data] and [eData] markers in uaf.icm using Windows' CryptDecrypt API, with decryption keys extracted from the same configuration file. To execute the payload, the malware cloned the legitimate Regsvcs.exe (.NET Services Installation Tool) into %TEMP%, then injected malicious code into its process space via CallWindowProcW API calls using custom shellcode stored in the script. Persistence was achieved through a registry entry at HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run, with the key name specified in uaf.icm.

The final payload, identified as the "AVE_MARIA" stealer, established communication with the command-and-control server anglekeys.warzonedns[.com (IP: 192.3.162[.161) to receive operational directives. Though the C2 was inactive during analysis, static examination revealed capabilities to harvest credentials from email clients (Microsoft Exchange Client, Outlook) and decrypt Firefox-stored credentials using Mozilla's PK11 encryption functions. Code reuse was evident, with significant overlaps observed between the malware's Firefox decryption routines and publicly available KeePass plugin code. Additional functionalities included a User Account Control (UAC) bypass utility embedded within the payload's resources, exploiting a known vulnerability in Windows' pkgmgr.exe. Forensic artifacts within the code suggested potential developer fingerprints, including environmental traces and the distinctive "AVE_MARIA" string transmitted during C2 handshakes. The malware's AutoIt-based delivery chain showed similarities to historical campaigns documented by Juniper in 2016, though the final payload diverged in objectives and complexity.

Impact analysis was limited by the C2's offline status during investigation, but the malware's design indicated intent to exfiltrate authentication credentials and browser data. The compromise chain leveraged multiple evasion techniques: file extension masquerading (e.g., .icm for configuration data), process hollowing of trusted binaries (Regsvcs.exe), and anti-analysis checks. No explicit containment or remediation actions by the victim organization were documented in available sources. The operational infrastructure's brief activation window suggested a time-sensitive targeting approach, with the attackers prioritizing rapid deployment over prolonged access. Technical artifacts such as YARA rules (SFX_AutoIt_dropper_09_01_2019, AveMaria_infostealer_09_01_2019) and network indicators (masaimaranationalparkkenya[.com/wp-admin/js/jsk/DSK.exe) provided definitive forensic signatures for detection. The incident highlighted reuse of both public exploit code (CVE-2017-11882) and commodity malware frameworks (AutoIt-based droppers) in attacks against critical energy sector targets.