According to reports, a team of Nocturnus researchers at Cyber reason recently discovered an Astaroth Trojan campaign with the ability to abuse GAS Tecnologia and the Avast security software. The hackers use this weak point to plant malicious modules and steal user information.
The main aim of the campaign is to access user information and it does that by taking advantage of legitimate operating system processes. Once it breaches the machine’s security, the campaign is able to steal confidential credentials and clipboard usage as well as important keystate information.
The Cofense security firm was the first to identify the Trojan back in 2018. At that time, Astaroth was mainly attacking users in Brazil and Europe. The malware mainly focused on LOLbins. An example would be the command line interface used by Windows users when accessing the operating system’s WMIC. In the background, the hackers would be busy downloading and installing malicious payloads into the machine. They chose LOLbins because they’re discreet and are able to evade even the most efficient antivirus software.
The New Strain
Cybereason has discovered a new type of this malware which now leverages WMIC utilities and BITSAdmin to access control infrastructure and ultimately transfer malicious payload onto the machine.
The BITSAdmin comes in handy for this job because it allows you to create and monitor any download you like. Thus, the attackers used it to create and distribute various spam campaigns, archive hyperlinks and malicious messages contained inside .7zip file downloads.
Inside the .7zip archive is a .lnk file which enables the attacker to trigger an XSL Script Processing attack by starting a wmic.exe process.
Lastly, BITSAdmin acts as the postman for the malware by collecting a payload from another C&C server. Inside this malicious code are various Astaroth modules, which are hidden inside various images or files that don’t contain any extension.
How It Works
The Astaroth module appears to be a well-planned out campaign which follows these steps:
- The attacker sends a phishing email
- The user opens an attachment with a .zip file
- This leads to a Wmic.exe file opening
- A Remote XSL Page opens to BITSAdmin
- BITSAdmin offloads the Astaroth modules
Once introduced, the malware inserts a malicious module into the aswrundll.exe Avast Software Runtime Dynamic Link Library. This is how the malware is able to collect information about the system while simultaneously injecting additional modules.
The attackers chose Avast as their Trojan horse because it’s the most widely used antivirus in the world. Avast was quick to identify that this is not a privilege escalation attack but rather an attempt by the hackers to run a binary.
Moving forward, Avast plans to make changes to their environment to prevent a similar attack from happening again. The antivirus company had security experts analyze a sample of the Astaroth Trojan, and that’s when they found that the same malware can be used to exploit the unins000.exe process which was developed by GAS Tecnologia.
By breaching these security solutions, the malware is able to access keyboard information, log the user’s keystrokes, monitor the keystate and even steal information through a technique known as “hooking.”
To collect credentials like usernames and passwords, the Astaroth Trojan leverages the NetPass free network password recovery tool. The same tool can be used to remotely collect user login details, mail account passwords through a Microsoft Outlook exchange server, as well as Windows and MSN messenger passwords.
This sophisticated attack is difficult to identify because of its use of discreet LOLbins. Even security system developers like Avast find it difficult to track an attack of this nature regardless of placing several teams on the job. Plus, as LOLbins become more prevalent, so will attacks of this nature become more common, and experts predict that attackers will develop even more destructive payloads in the future.