Astaroth Trojan: uses antivirus processes

A new version of Trojan Astaroth has the ability to exploit vulnerable processes in anti-virus software and services. Researchers of Cyctres' nocturnus team reported today in a publication at their blog that variation is able to security software modules to steal credentials and personal data online.Astaroth In its latest form, Astaroth is used in spam campaigns throughout Brazil and Europe, managing thousands of infections by the end of 2018. Malicious software spreads through .zip files and malicious links.

Astaroth Trojan: How It Works

Researchers report that the Trojan disguises itself as a JPEG, .GIF or some file with no extension to avoid detection by security. when running on a machine. The Microsoft Windows BITSAdmin tool is used from a Command and Control (C2) server to complete the download of the malware. After downloading, the malicious τρέχει ένα XSL script που δημιουργεί ένα κανάλι με τον διακομιστή C2. Το script, φέρεται να περιέχει λειτουργίες που βοηθούν την κακόβουλη εφαρμογή να κρυφτεί από λογισμικό ασφαλείας, αλλά και για να αξιοποιήσει το εργαλείο BITSAdmin για τη λήψη κακόβουλων φορτίων, από έναν ξεχωριστό διακομιστή C2. Οι προηγούμενες παραλλαγές του Trojan προσπαθούσαν στη συνέχεια για να βρουν προγράμματα προστασίας από ιούς και, σε περίπτωση που υπήρχε το Avast σε ένα μολυσμένο , the malware would stop working. However, the new Astaroth can fool your antivirus program and add "a malicious module to one of its processes," according to the researchers. If it detects Avast, it breaks the Avast Software Runtime Dynamic Link Library, which runs modules for Avast with the aswrundll.exe process. The executable file – which looks like Microsoft's rundll32.exe – can run DLLs by calling its exported functions. The Trojan first appeared in attacks against users in South America during 2017. Malware is capable of stealing information from target systems, such as passwords, keyboard data, and any content that was on the clipboard. In addition, Astaroth is also able to monitor calls if it is installed on a suitable device and terminates various processes. The new malware also uses a deCharCode () deobfuscation method to hide code execution. Last month, a new survey published by Malwarebytes reported that Trojan and backdoor attacks have more than doubled since last year. Also, spyware attacks have increased to , marking a 142% increase over the same period.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).