Skip to main content

Be On The Lookout As Astaroth Malware Makes A Comeback

By April 6, 2020May 9th, 2022Cybersecurity

Are you familiar with Astaroth?

If you’re a data security professional, you’ve probably at least heard the name.

The group gained some notoriety last year when it came to light that they had developed a means of spreading “fileless malware” using legitimate Windows tools to infect machines around the world.

The Windows Defender ATP team discovered evidence of a massive campaign and described the group’s innovative technique as ‘Living off the Land.’ Once Microsoft called attention to the group’s activities and the methods they were using to spread their malware, the campaign slowed to a trickle and the group went quiet for the rest of the year.

Now, they’re back and they’ve completely changed their approach. Their latest campaign begins conventionally, with a spam email that contains an LNK file. From there, the group veers off into new territory.

These days, they’re using Alternative Data Streams (ADS) to hide malicious payloads by appending data to an existing file. To load the payload, the group is abusing a legitimate process called ExtExport.exe, which the Windows Defender ATP team describes as a “highly uncommon attack vector” that makes Astaroth payloads incredibly hard to detect.

If there’s a silver lining, it is the fact that a potential victim has to jump through at least a few hoops to trigger the conditions that will install the payload. The spam email they get will inevitably contain a zip file. A victim has to open the zip file, then click the LNK file, which runs an obfuscated BAT command line.

This, in turn, drops a JavaScript file into the Pictures folder on the machine and issues a command to Explorer.exe to run the file.

Given this, the best line of defense here is employee education. If your employees are still in the habit of opening emails and clicking on files and links from unknown and untrusted sources, there’s really no stopping this threat. Make sure your people understand the risks!

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.