FYI: The Astaroth Trojan


February 22, 2019

You might of heard recently that the Astaroth Trojan is making a comeback. We break down what it is, why it’s making a comeback and more…

Despite having a name that makes it sound like a lost Michael Crichton novel of Swedish Death Metal, the Astaroth Trojan is a nasty piece of code. The trojan was first detected in 2017 after it was used in multiple South American cyber attacks.

Historically solicited by email and corrupt attachments, the Trojan uses Windows Management Instrumentation Console and its command line interface to download and instal its payload. Typically its used a non-interactive mode to hide what it’s doing from the enduser.

To avoid detection Astaroth hid in plain site, using a seemingly safe domain with an additional URL snippet added on that points to its payload. Past versions, upon being installed would scan for antivirus software. If antivirus was found on the endpoint the malware would shut itself down.

This new version behaves differently. The Trojan’s payload typically disguises itself as a JPEG, GIF or an extension-less attachment. Once downloaded and opened, the new Astaroth Trojan actually leverages antivirus software, specifically Avast Free Antivirus, to inject a malicious module into one of its processes. Upon installation the malware begins to log keystrokes, intercept operating system calls and gather other PII info to steal credentials and passwords.

Because Avast is one of the most used antivirus solutions on the planet, this could be a particularly nasty piece of Malware.

The new variant was discovered by the fine folk that make up Cybereason’s Nocturnus Research team (also not a Death Metal band…I’m starting to see a trend here…hmmm…).

You can read more about Astaroth here ( on Cybereason’s blog. We’ll keep you up to date if we hear anything else regarding Astaroth. Until then, if you’re using Avast we recommend you try something different. We personally recommend Cybereason’s EDR platform or CylancePROTECT.

Have anything you’d like to share regarding this topic? Lets us know by leaving a comment.

Interested in learning more about Integris? Download our free Intelligence in Depth guide today!

Carl Keyser is the Content Manager at Integris.

Keep reading

Bridging the Gap between Automation and Innovation

Bridging the Gap between Automation and Innovation

Automation and Innovation. Some people might say those two words cancel each other out. Yet, I believe these two concepts can create capacity for each other—if your business leverages the free time automation creates to foster innovation. Automation can be...

Why Is My Laptop Draining So Fast?

Why Is My Laptop Draining So Fast?

Before You Replace Your Laptop Battery, Try These Fixes First Stuck with a laptop that’s running out way before it’s standard 8-10 hours of run time? Don't throw it out just yet.  Try these quick fixes to extend its life: Reduce your screen brightness If possible,...