Astaroth Malware Uses Legitimate OS and Antivirus Processes to Steal Passwords and Personal Data

Discussion in 'malware problems & news' started by guest, Feb 13, 2019.

  1. guest

    guest Guest

    Astaroth Malware Uses Legitimate OS and Antivirus Processes to Steal Passwords and Personal Data
    February 13, 2019
    https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I see Cybereason back up to speed taking swipes at the AV vendors. This time its Avast:
    Since I believe Avast now has HIPS capabilities, no big deal in restriction startup of this .exe to the Avast kernel process which I assume is the only one that uses it.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I don't get it, how can they use a process from Avast for malicious purposes? With that I mean, how the heck is this malware able to inject code into this Avast process, shouldn't these processes be secured against code injection?
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The issue is not code injection of aswrundll.exe, but rather using it in identical fashion as rundll32.exe can be used maliciously. I am assuming that the Avast .exe runs with System privileges.

    I also wonder if this method is only used on the free version with the paid ver. using the Avast kernel process as is done in other top tier AV products.
     
    Last edited: Feb 16, 2019
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Came across this "tidbit" where aswrundll.exe can be used to uninstall Avast!
    https://www.mspgeek.com/topic/1393-uninstall-avast/?do=findComment&comment=23004

    Also as noted, it appears aswrundll.exe is used in all Avast versions.
     
  6. guest

    guest Guest

    nearly identical campaign:
    Microsoft warns about Astaroth malware campaign
    New hard-to-detect Astaroth campaigns spotted using fileless execution and living-off-the-land techniques
    July 8, 2019

    https://www.zdnet.com/article/microsoft-warns-about-astaroth-malware-campaign/
    Microsoft: Dismantling a fileless campaign: Microsoft Defender ATP next-gen protection exposes Astaroth attack
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK I see. But it's still very weird that malware can use this process. I wonder what Avast has to say about this.

    There's is nothing magical about this stuff. You should simply always monitor system processes like WMIC and Bitsadmin.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The problem is the average user doesn't even know those processes exist let alone how to monitor them

    The issue is there a dozens of LOL processes that can be abused; some deprecated for some time and so obscure, it appears Microsoft forgot about them. What Microsoft needs to do is create some type of internal group policy mode that is applied by default on end-user non-corp. devices. This policy would ensure these LOL processes are only run under Windows system process control to perform necessary system maintenance and the like. And user account logon is not the solution since most end users don't use it.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Correct, but I wasn't talking about average users. I was talking more about EDR tools, by now they should be able to block these attacks in the first stage. I do believe that Win Def ATP is pretty good based on what I've read.
     
  10. guest

    guest Guest

    Microsoft's Windows 10 warning: Astaroth malware is back. This time it's even stealthier
    Malware group has changed its living-off-the-land tactics after Microsoft exposed its work
    March 24, 2020
    https://www.zdnet.com/article/micro...alware-is-back-this-time-its-even-stealthier/
    Microsoft: Latest Astaroth living-off-the-land attacks are even more invisible but not less observable
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Astaroth’s New Evasion Tactics Make It ‘Painful to Analyze’
    https://threatpost.com/astaroths-evasion-tactics-painful-analyze/
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.