Astaroth Trojan: uses antivirus processes

A new par of Trojan Astaroth has the ability to exploit vulnerable processes in anti-virus software and services. Researchers from Cybereason's Nocturnus team reported today in a publication on the their blog that variation is able to software modules για να κλέβει διαπιστευτήρια και προσωπικά on the Internet.Astaroth

In its latest form, Astaroth is used in spam campaigns throughout Brazil and Europe, managing thousands of infections by the end of 2018. Malicious software spreads through .zip files and malicious links.

Astaroth Trojan: How It Works

Researchers report that the Trojan disguises itself as a JPEG, .GIF, or some file with no extension to avoid detection by security applications. when running on a machine. To complete the The malware uses the Microsoft Windows BITSAdmin tool from a Command and Control (C2) server. After downloading, the malware runs an XSL script that creates a channel with the C2 server. The script reportedly contains features to help the malicious app hide from security software, but also to leverage the BITSAdmin tool to download malicious payloads from a separate C2 server. Previous variants of the Trojan would then try to find antivirus programs, and if Avast was present on an infected system, the malware would stop working. However, the new Astaroth can fool your antivirus program and add "a malicious module to one of its processes," according to the researchers. If it detects Avast, it breaks the Avast Software Runtime Dynamic Link Library, which runs modules for Avast with the aswrundll.exe process. The executable file – which looks like Microsoft's rundll32.exe – can run DLLs by calling its exported functions. The Trojan first appeared in attacks against users in South America during 2017. The malware is able to steal information from target systems, such as passwords , data from the keyboard and any content that was on the clipboard. In addition, Astaroth is also able to track if installed in a suitable and terminate various processes. The new malware also uses a fromCharCode() deobfuscation method to hide code execution. Last month, a new study published by the Malwarebytes reported that Trojan and backdoor attacks have more than doubled since the previous year. Also, spyware attacks have increased in frequency, recording an increase of 142% over the same period.

iGuRu.gr The Best Technology Site in Greecefgns

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).