Microsoft is warning users about an old threat, which reincarnated with new methods to be stealthier. Astaroth malware gang was detected and mitigated by Microsoft in July last year, but now it surfaced again by exploiting Alternate Data Streams (ADS) of Windows, to hide from flaggers and dump malware payload for data stealing.

Modus Operandi

Astarothโ€™s methods of exploiting are different, but not the initial infection. This malware group starts with a phishing email, where it lures the potential victims to click on a link that redirects them to a website hosting a file as.LNK. This would attach the attackerโ€™s payload and retrieved into the host system stealthily by exploiting Alternate Data Streams (ADS)! This file attribute allows an attacker to attach data to an existing file.

Astaroth malware operation flow
Astaroth malware operation flow

As explained by Hardik Suri, a member of Microsoftโ€™s Defender ATP research team, after victims clicking on.LNK in the redirected website, it runs an obfuscated BAT line that dumps a JavaScript file into Pictures folder and commands explorer.exe to run the payload retrieved.

This was successful by exploiting the Alternate Data Streams (ADS) for remaining in stealth. Further, it exploits ExtExport.exe for loading the Payload. Abusing these options is legitimate, thus antivirus software wonโ€™t flag as suspicious activity.

This privilege lets them decrypt two plug-ins as NirSoft MailPassView and NirSoft WebBrowserPassView tool. The former one is for obtaining email client passwords and the latter ones for retrieving passwords from browsers. Another abusing is done to BITSAdmin, which is used for downloading the encrypted dump from the attackerโ€™s C&C server. If not, this was actually used by system admins for downloading or uploading jobs and monitor their progress.

Astaroth malware attcking heatmap
Astaroth malware attacking heatmap

The initial email file statement that asks for clicking on the link would look like this, โ€œPlease find in the link below the STATEMENT #56704/2019 AND LEGAL DECISION, for due purposesโ€, that would take you to.LNK file for further dumping payload. Microsoft warned the community about this and said Brazil is being targeted vastly.

Source: Microsoft

RECOMMENDED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here