Be On The Lookout As Astaroth Malware Makes A Comeback

April 6, 2020

Written by wukovits

Are you familiar with Astaroth?

If you’re a data security professional, you’ve probably at least heard the name.

The group gained some notoriety last year when it came to light that they had developed a means of spreading “fileless malware” using legitimate Windows tools to infect machines around the world.

The Windows Defender ATP team discovered evidence of a massive campaign and described the group’s innovative technique as ‘Living off the Land.’ Once Microsoft called attention to the group’s activities and the methods they were using to spread their malware, the campaign slowed to a trickle and the group went quiet for the rest of the year.

Now, they’re back and they’ve completely changed their approach. Their latest campaign begins conventionally, with a spam email that contains an LNK file. From there, the group veers off into new territory.

These days, they’re using Alternative Data Streams (ADS) to hide malicious payloads by appending data to an existing file. To load the payload, the group is abusing a legitimate process called ExtExport.exe, which the Windows Defender ATP team describes as a “highly uncommon attack vector” that makes Astaroth payloads incredibly hard to detect.

If there’s a silver lining, it is the fact that a potential victim has to jump through at least a few hoops to trigger the conditions that will install the payload. The spam email they get will inevitably contain a zip file. A victim has to open the zip file, then click the LNK file, which runs an obfuscated BAT command line.

This, in turn, drops a JavaScript file into the Pictures folder on the machine and issues a command to Explorer.exe to run the file.

Given this, the best line of defense here is employee education. If your employees are still in the habit of opening emails and clicking on files and links from unknown and untrusted sources, there’s really no stopping this threat. Make sure your people understand the risks!

Used with permission from Article Aggregator

Bayou Tech

We provide solutions for your business. Find out how we can help.

Related Articles

New Graphene Technology May Increase Hard Drive Storage

HDDs are old, well understood technology. They haven't changed much in recent years. In fact, increasingly, people are writing them off, preferring SSDs for their greater speed and smaller size, even though HDDs are less expensive. The clever folks at the University...

Some Amazon Device Features May Have Security Risks

Have you heard of Amazon Sidewalk? If not, it's definitely something you should be aware of. Depending on your point of view, the new feature, which was enabled by default on a wide range of Amazon devices by default on June 8 of this year (2021) is either...

Email Unsubscribe Scam Can Easily Fool Any User

Scammers are increasingly relying on a tried and true bit of social engineering to fool unsuspecting users into unwittingly signing up to receive a flood of additional spam email. They accomplish this by blasting out an email asking recipients if they wish to...

Send us a message

Your message was sent.