This Trojan exploits antivirus software to steal your data

Astaroth disguises itself as image and GIF files to infect PCs.
Written by Charlie Osborne, Contributing Writer

A new strain of the Astaroth Trojan has been given the capability to exploit vulnerable processes in antivirus software and services.

Cybereason's Nocturnus Research team said in a blog post published on Wednesday that the variant is able to utilize modules in cybersecurity software in order to steal online credentials and personal data.  

In its latest form, Astaroth is being used in spam campaigns across Brazil and Europe, with thousands of infections recorded at the end of 2018. The malware spreads through .7zip file attachments and malicious links.

The cybersecurity researchers said the Trojan masquerades as a JPEG, .GIF, or an extensionless file to avoid detection when executed on a machine.

If a spam email or phishing messages prove successful and the file is downloaded and opened, the legitimate Microsoft Windows BITSAdmin tool is used to download the full payload from a command-and-control (C2) server.

After initializing, the malware launches an XSL script which establishes a channel with the C2 server. The script, which is obfuscated, contains functions to hide itself from antivirus software and is responsible for the process which leverages BITSAdmin to download payloads, including Astaroth, from a separate C2 server.

See also: Google's Adiantum gives your mobile device an encryption boost

Past variants of the Trojan would then launch a scan to find antivirus programs, and should Avast, in particular, be present on an infected system, the malware would simply quit. However, Astaroth will now abuse the antivirus program to "inject a malicious module into one of its processes," according to the researchers.

If Avast is detected, the Avast Software Runtime Dynamic Link Library which runs modules for Avast, aswrundll.exe, is abused. The executable -- which is similar to Microsoft's  rundll32.exe -- can execute DLLs by calling their exported functions.

CNET: Some iPhone apps record your actions without permission, report says

The abuse of these systems is known as taking advantage of living off the land binaries (LOLbins). An anti-fraud security program provided by GAS Tecnologia is also exploited in the same manner.

The Trojan first emerged in attacks against individuals in South America during 2017. The malware is able to steal information relating to target machines, passwords, keystate data and any content on the clipboard. In addition, Astaroth is also able to keylog, intercept calls if installed on a suitable device, and terminate processes.

The malware also makes use of a fromCharCode() deobfuscation method to hide code execution, an upgrade on previous versions of Astaroth.

TechRepublic: Malicious URLs outnumbered attachments in emails 3 to 1 last year

"As we enter 2019, we anticipate that the using of WMIC and other LOLbins will increase," Cybereason says. "Because of the great potential for malicious exploitation inherent in the use of LOLbins, it is very likely that many other information stealers will adopt this method to deliver their payload into targeted machines."

Last month, new research published by Malwarebytes suggested that Trojan and backdoor-related attacks have more than doubled in the past year. Spyware attacks, too, have increased in frequency, rising by 142 percent in the same period. 

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards