- Jul 22, 2014
- 2,525
Astaroth disguises itself as image and GIF files to infect PCs.
A new strain of the Astaroth Trojan has been given the capability to exploit vulnerable processes in antivirus software and services.
Cybereason's Nocturnus Research team said in a blog post published on Wednesday that the variant is able to utilize modules in cybersecurity software in order to steal online credentials and personal data.
In its latest form, Astaroth is being used in spam campaigns across Brazil and Europe, with thousands of infections recorded at the end of 2018. The malware spreads through .7zip file attachments and malicious links.
The cybersecurity researchers said the Trojan masquerades as a JPEG, .GIF, or an extensionless file to avoid detection when executed on a machine.
If a spam email or phishing messages prove successful and the file is downloaded and opened, the legitimate Microsoft Windows BITSAdmin tool is used to download the full payload from a command-and-control (C2) server.
After initializing, the malware launches an XSL script which establishes a channel with the C2 server. The script, which is obfuscated, contains functions to hide itself from antivirus software and is responsible for the process which leverages BITSAdmin to download payloads, including Astaroth, from a separate C2 server.
Past variants of the Trojan would then launch a scan to find antivirus programs, and should Avast, in particular, be present on an infected system, the malware would simply quit. However, Astaroth will now abuse the antivirus program to "inject a malicious module into one of its processes," according to the researchers.
If Avast is detected, the Avast Software Runtime Dynamic Link Library which runs modules for Avast, aswrundll.exe, is abused. The executable -- which is similar to Microsoft's rundll32.exe -- can execute DLLs by calling their exported functions.
....
...
A new strain of the Astaroth Trojan has been given the capability to exploit vulnerable processes in antivirus software and services.
Cybereason's Nocturnus Research team said in a blog post published on Wednesday that the variant is able to utilize modules in cybersecurity software in order to steal online credentials and personal data.
In its latest form, Astaroth is being used in spam campaigns across Brazil and Europe, with thousands of infections recorded at the end of 2018. The malware spreads through .7zip file attachments and malicious links.
The cybersecurity researchers said the Trojan masquerades as a JPEG, .GIF, or an extensionless file to avoid detection when executed on a machine.
If a spam email or phishing messages prove successful and the file is downloaded and opened, the legitimate Microsoft Windows BITSAdmin tool is used to download the full payload from a command-and-control (C2) server.
After initializing, the malware launches an XSL script which establishes a channel with the C2 server. The script, which is obfuscated, contains functions to hide itself from antivirus software and is responsible for the process which leverages BITSAdmin to download payloads, including Astaroth, from a separate C2 server.
Past variants of the Trojan would then launch a scan to find antivirus programs, and should Avast, in particular, be present on an infected system, the malware would simply quit. However, Astaroth will now abuse the antivirus program to "inject a malicious module into one of its processes," according to the researchers.
If Avast is detected, the Avast Software Runtime Dynamic Link Library which runs modules for Avast, aswrundll.exe, is abused. The executable -- which is similar to Microsoft's rundll32.exe -- can execute DLLs by calling their exported functions.
....
...