The Astaroth Trojan steals credentials and other user data through antivirus software, Avast, and services. It sends scam campaigns with zipfile attachments containing .jpeg, .gif and extensionless files. It has affected internet users across Europe and Brazil.
The trojan first emerged during 2017 and has the ability to steal key state data, keylog user device information and passwords. This is through various ways including connecting with NetPass and using LOLbins.
How Astaroth Trojan Works
Upon a user clicking on the malicious file the Windows BITSAdmin tool downloads the malware and deploys from the command-and-control server. Thereafter it launches an XSL script and as obfuscated, together they hide it from the antivirus software. The trojan then injects one of the processes within Avast.
Avast is a free antivirus. It recently received “Product of the year” awards in 2018, beating paid security products tested by AV-Comparatives. Through independent lab testings, it is highly rated with its security against real-world threats. This is evident as with past Trojans, it was detected immediately and upon detection, it left the system undeployed.
The Astaroth trojan, on the other hand, abuses Avast’s execution, aswrundll.exe, which runs from Avast Software Runtime Dynamic Link Library. The new version of the trojan is able to further exploit the unins000.exe which it uses to steal data from the victim. This is because this type of execution is primary in GAS Tecnologia for information gathering purposes.
Cyberason’s Nocturnus discovered the latest trojan and noticed when looking at the frequency of the attack, the use of the trojan rose significantly at the end of last year. It predicted from this that the trojans tactics will continue to become more rampant in cyber attacks this year. This is because of its abilities to roam devices undetected and use already built-in tools within a device. This is evident with its use of legitimate products such as antivirus software and its ability to expand from these.