Delaware, USA – February 14, 2019 – The infamous Astaroth trojan started to exploit antivirus solutions to hide its activities and download additional modules. Cybereason researchers analyzed a new campaign targeting the countries of South America and Europe and discovered that adversaries found a way to abuse solutions popular in these regions (Avast and security tools developed by GAS Tecnologia). Previously, Astaroth scanned the system for the presence of these security solutions and, if detected, removed itself from the system. Now malware authors begin to misuse legitimate .exe file of a solution to download additional modules.
Adversaries spread malware through spam emails with an attached 7ZIP archive. The archive contains the .lnk file, which runs the XLS script abusing BITSAdmin to drop disguised Astaroth Trojan. Malware collects and exfiltrates credentials and all data from the clipboard. Researchers believe that the attackers’ main goal is to collect bank information and use it to steal funds from victims ’accounts. Since malware also collects passwords to other systems in the network, adversaries can use stolen credentials to infiltrate the organization’s network installing ransomware or steal sensitive information.
Although Avast has released an update that does not allow its components to be used for malicious purposes, threat actors actively abuse legitimate Windows tools to compromise systems. Moreover, experts expect that other cybercriminals will pick up the new trend. BITSAdmin has long been used to download malicious components, so it will be good practice to use the rules to detect suspicious activity related to this tool. Free Sigma rules in Threat Detection Marketplace: