Astaroth Malware Uses Legitimate OS and Antivirus Processes to Steal Passwords and Personal Data February 13, 2019 https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil
I see Cybereason back up to speed taking swipes at the AV vendors. This time its Avast: Since I believe Avast now has HIPS capabilities, no big deal in restriction startup of this .exe to the Avast kernel process which I assume is the only one that uses it.
I don't get it, how can they use a process from Avast for malicious purposes? With that I mean, how the heck is this malware able to inject code into this Avast process, shouldn't these processes be secured against code injection?
The issue is not code injection of aswrundll.exe, but rather using it in identical fashion as rundll32.exe can be used maliciously. I am assuming that the Avast .exe runs with System privileges. I also wonder if this method is only used on the free version with the paid ver. using the Avast kernel process as is done in other top tier AV products.
Came across this "tidbit" where aswrundll.exe can be used to uninstall Avast! https://www.mspgeek.com/topic/1393-uninstall-avast/?do=findComment&comment=23004 Also as noted, it appears aswrundll.exe is used in all Avast versions.
nearly identical campaign: Microsoft warns about Astaroth malware campaign New hard-to-detect Astaroth campaigns spotted using fileless execution and living-off-the-land techniques July 8, 2019 https://www.zdnet.com/article/microsoft-warns-about-astaroth-malware-campaign/ Microsoft: Dismantling a fileless campaign: Microsoft Defender ATP next-gen protection exposes Astaroth attack
OK I see. But it's still very weird that malware can use this process. I wonder what Avast has to say about this. There's is nothing magical about this stuff. You should simply always monitor system processes like WMIC and Bitsadmin.
The problem is the average user doesn't even know those processes exist let alone how to monitor them The issue is there a dozens of LOL processes that can be abused; some deprecated for some time and so obscure, it appears Microsoft forgot about them. What Microsoft needs to do is create some type of internal group policy mode that is applied by default on end-user non-corp. devices. This policy would ensure these LOL processes are only run under Windows system process control to perform necessary system maintenance and the like. And user account logon is not the solution since most end users don't use it.
Correct, but I wasn't talking about average users. I was talking more about EDR tools, by now they should be able to block these attacks in the first stage. I do believe that Win Def ATP is pretty good based on what I've read.
Microsoft's Windows 10 warning: Astaroth malware is back. This time it's even stealthier Malware group has changed its living-off-the-land tactics after Microsoft exposed its work March 24, 2020 https://www.zdnet.com/article/micro...alware-is-back-this-time-its-even-stealthier/ Microsoft: Latest Astaroth living-off-the-land attacks are even more invisible but not less observable
Astaroth’s New Evasion Tactics Make It ‘Painful to Analyze’ https://threatpost.com/astaroths-evasion-tactics-painful-analyze/