Researchers have detected a new, stealthy Astaroth trojan campaign emanating from and centered in Brazil, but spreading to parts of Europe. Named after ‘the Great Duke of Hell’ because of its use of satanic variable names, Astaroth has been around since late 2017.
The latest campaign, discovered by the Cybereason Nocturnus Research team, uses an evolved variant of the malware that goes to great lengths to remain stealthy in what is described as a ‘massive spam campaign’. In a blog report published today, Cybereason has noted four major differences from earlier variants.
Firstly, this variant exclusively uses BITSAdmin (as used in the latest-reported APT10 attacks) to download the payload. Earlier versions used Windows’ certificate management tool, certutil.
Secondly, in a major and effective move, the latest version uses rather than evades the Avast anti-malware product. Earlier versions simply stopped if Avast was present. The latest version uses an Avast process as a LOLBin. “This version used Avast to inject a malicious module into one of its processes,” reports Cybereason.
‘LOLBin’ is the accepted term for legitimate binaries that can be used by cybercriminals for hidden nefarious activity. It’s a combination of ‘living off the land’ and ‘binary’. The best known commonly used LOLBins are PowerShell and Windows Management Instrumentation (WMI); but an extensive list (known as LOLBAS — living off the land binaries and scripts) is maintained online. At the time of writing, the Avast binary in question, aswrundll.exe, is not included in this list.
The irony is clear. The earlier version of Astaroth wouldn’t run if Avast was present; the newer version requires Avast to be present. Cybereason made it very clear that this is not a weakness in Avast. “It’s not an exploit and not a weakness,” Cybereason Nocturnus Research team told SecurityWeek. “It’s a process of Avast that can be used maliciously. It’s a legitimate process. It’s like any LOLBin (PowerShell, for example), or regsvr. It’s abused for nefarious means, and yes, that’s ironic, but it’s important to note that it isn’t an exploit or weakness. There’s no error in the code or anything.”
If anything, it is testament to the popularity of Avast in Brazil — it is more effective to use it than avoid it. Luis Corrons, security evangelist at Avast, points out that nothing is actually ‘injected’ into Avast. “This is not an injection,” he told SecurityWeek. “Installed Avast binaries have self-protection mechanisms in place to avoid injections. Here they are using an Avast file to run a binary (in a similar way you can run a DLL using Windows’ rundll32.exe).” He added that it can be prevented with Avast Behavior Shield, “which is able to follow the execution of binaries — so we can know if this technique is being used with that Avast file and act on it.”
The third new feature in this Astaroth campaign is the new use of unins000.exe to gather personal information undetected. This is another legitimate process — belonging to a Brazilian information security company GAS Tecnologia — and also not currently included in the LOLBAS list.
The fourth is that this version now uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and help hide the code it is initiating.
The overall result, the Nocturnus team told SecurityWeek, is that this malware campaign “is incredibly evasive and effective.”
The attack starts with an email. A 7zip file is downloaded through an email attachment or mistakenly-clicked hyperlink. This file contains a lnk file that, on activation, initializes the malware. A process spawns and uses wmic.exe to initialize an XSL script processing attack. This communicates with a remote C2 server and sends location information to that server.
The same XSL script containing obfuscated code executes additional malicious activity. Ultimately, it is responsible for the malicious use of BITSAdmin (which is included in the LOLBAS listing) to download the Astaroth payload.
“Once the payload is received, it identifies if Avast exists on the infected machine,” write the researchers. “If so, it uses Avast to load a malicious module responsible for loading other modules and gathering information about the machine. A second module is loaded to collect and exfiltrate information like clipboard data, password information, and more.”
A successfully installed Astaroth can log user keystrokes, intercept operating system calls, and collect data from the clipboard. It uses NetPass, a password recovery tool, to collect user login passwords undetected, including mail account passwords, Messenger accounts, Internet Explorer accounts and more. Passwords not stored on the computer — perhaps bank accounts — can be gathered by the key logger.
Cybereason believes that the extensive use of LOLBins to hide the presence of Astaroth indicates the way malware will evolve in the future.
“As we enter 2019,” write the researchers, “we anticipate that the using of WMIC and other living off the land binaries (LOLBins) will increase. Because of the great potential for malicious exploitation inherent in the use of LOLBins, it is very likely that many other information stealers will adopt this method to deliver their payload into targeted machines.”
Related: Watch Out for Fileless Ransomware