santiago silver - Fotolia
A new variant of the Astaroth Trojan was detected in a massive spam campaign that not only exploits legitimate operating system processes, but also targets antivirus software to expand its capabilities and steal credentials.
Reported by Cybereason's Nocturnus Research team earlier this week, the latest version of the Astaroth Trojan injects a malicious module into one of Avast's processes, aswrundll.exe. Researchers said, because Avast is one of most common antivirus programs in the world, this makes it an effective evasion strategy. Earlier versions of the malware, which was first detected in 2017, would scan targeted systems for Avast and simply quit if the antivirus program was detected.
The spam campaign also made malicious use of unins000.exe, a process that belongs to GAS Tecnologia, a Brazilian information security company. The campaign targeted Brazil and parts of Europe, and it gained momentum toward the end of 2018, according to a blog post detailing the research.
"Astaroth malware is very similar to other variants that we have seen since mid-2018 in terms of how it propagates itself," said Eli Salem, security researcher at Cybereason. "However, the recent variant that we found leverages its payload execution through targeted security-related products and obfuscates itself as much as it can at the remote server domain and changes some of its processes in doing so."
This version maliciously used BITSAdmin to download the payload, while earlier versions of the campaign used certutil, Salem said.
The Astaroth Trojan malware disguises its payload as JPEG, GIF and extensionless files to avoid detection, researchers found. Upon successful infiltration, it logs user keystrokes, intercepts their operating system calls and gathers information to steal credentials, including passwords.
Eli Salemsecurity researcher, Cybereason
Salem said the Astaroth malware variant doesn't need to take advantage of a bug or vulnerability in code.
"It's not something that Avast needs to fix or patch, because this process is just part of their product; it's just like a Microsoft process that has the ability to be used maliciously," Salem said. "Obviously, it is not designed for it. However, just like regsvr32, it can be misused for malicious activity."
It's a legitimate process with legitimate uses that's just being used for malicious purposes -- in this case, to load and execute malicious modules, he explained.
"We learned about this particular Astaroth Trojan variant analyzed in Cybereason's report. Since this is not an exploit, there is no obligation for them to provide formal or advance communication," Avast said in a statement.
"The authors misuse a trusted binary to run the malware, in this case they used an Avast process, probably due to the size of our user base in the target country of Brazil. One important thing to consider is that this is neither an injection nor a privilege escalation. Installed Avast binaries have self-protection mechanisms in place to avoid injections. In this instance, they are using an Avast file to run a binary in a similar way that a DLL using Windows' rundll32.exe can run," according to the statement. "We had previously issued a detection for the malware so all Avast users are protected from this variant. Additionally, we will be implementing changes to our environment to ensure the same process cannot be misused in this way the future."
Cybereason researchers anticipate the use of living-off-the-land binaries to likely increase this year. Because of the great potential for malicious exploitation inherent in the use of native processes, researchers believe it is very likely that many other information stealers will adopt this method to deliver their payload into targeted machines.