Microsoft is warning users about an old threat, which reincarnated with new methods to be stealthier. Astaroth malware gang was detected and mitigated by Microsoft in July last year, but now it surfaced again by exploiting Alternate Data Streams (ADS) of Windows, to hide from flaggers and dump malware payload for data stealing.
Astaroth’s methods of exploiting are different, but not the initial infection. This malware group starts with a phishing email, where it lures the potential victims to click on a link that redirects them to a website hosting a file as.LNK. This would attach the attacker’s payload and retrieved into the host system stealthily by exploiting Alternate Data Streams (ADS)! This file attribute allows an attacker to attach data to an existing file.
This was successful by exploiting the Alternate Data Streams (ADS) for remaining in stealth. Further, it exploits ExtExport.exe for loading the Payload. Abusing these options is legitimate, thus antivirus software won’t flag as suspicious activity.
This privilege lets them decrypt two plug-ins as NirSoft MailPassView and NirSoft WebBrowserPassView tool. The former one is for obtaining email client passwords and the latter ones for retrieving passwords from browsers. Another abusing is done to BITSAdmin, which is used for downloading the encrypted dump from the attacker’s C&C server. If not, this was actually used by system admins for downloading or uploading jobs and monitor their progress.
The initial email file statement that asks for clicking on the link would look like this, “Please find in the link below the STATEMENT #56704/2019 AND LEGAL DECISION, for due purposes”, that would take you to.LNK file for further dumping payload. Microsoft warned the community about this and said Brazil is being targeted vastly.