Reply to thread

Message

<blockquote data-quote="Andy Ful" data-source="post: 874909" data-attributes="member: 32260">The new and dangerous Astaroth malware:[ATTACH=full]237776[/ATTACH]In the case of Astaroth, attackers hide binary data inside the ADS of the file desktop.ini, without changing the file size. By doing this, the attackers create a haven for the payloads, which are read and decrypted on the fly.[URL unfurl=&quot;true&quot;]https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/[/URL]So, how can this be stopped with H_C settings?After the user downloads the malware and runs the unpacked content, the shortcut (LNK file) is normally executed which will be blocked by SRP. Even if the user applied the settings that allowed shortucts, then the shortcut normally runs JavaScript file via command-line (BAT commands are included in the shortcut - not in the BAT file), and the script will be blocked by SRP (blocked Windows Script Host).This malware would be blocked by any predefined H_C setting profile (except All_OFF). It could be also stopped by blocking some Sponsors in H_C (bitsadmin.exe or ExtExport.exe), but this is not necessary (as usual) because of the previous protective layers.The malware is prepared to avoid AV protection and can bypass SysHardener (if &quot;Turn Off Windows Script Host&quot; is unticked). SysHardener has an option to block the outbound connections of bitsadmin.exe, but unfortunately, this will not stop Astaroth from downloading payloads.Edit.SysHardener has several options to restrict Windows Script Host. Some options will block only such scripts when manually executed by the user (unassociated script extensions) and the second option which blocks all attempts of running such scripts (by the user or any process - including malware).</blockquote>

[QUOTE="Andy Ful, post: 874909, member: 32260"] The new and dangerous Astaroth malware: [ATTACH type="full" alt="Astaroth2020.png"]237776[/ATTACH] In the case of Astaroth, attackers hide binary data inside the ADS of the file [I]desktop.ini,[/I] without changing the file size. By doing this, the attackers create a haven for the payloads, which are read and decrypted on the fly. [URL unfurl="true"]https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/[/URL] So, how can this be stopped with H_C settings? After the user downloads the malware and runs the unpacked content, the shortcut (LNK file) is normally executed which will be blocked by SRP. Even if the user applied the settings that allowed shortucts, then the shortcut normally runs JavaScript file via command-line (BAT commands are included in the shortcut - not in the BAT file), and the script will be blocked by SRP (blocked Windows Script Host). This malware would be blocked by any predefined H_C setting profile (except All_OFF). It could be also stopped by blocking some Sponsors in H_C (bitsadmin.exe or ExtExport.exe), but this is not necessary (as usual) because of the previous protective layers. The malware is prepared to avoid AV protection and can bypass SysHardener (if "Turn Off Windows Script Host" is unticked). SysHardener has an option to block the outbound connections of bitsadmin.exe, but unfortunately, this will not stop Astaroth from downloading payloads. Edit. SysHardener has several options to restrict Windows Script Host. Some options will block only such scripts when manually executed by the user (unassociated script extensions) and the second option which blocks all attempts of running such scripts (by the user or any process - including malware). [/QUOTE]

Verification