Astaroth latest variant using Alternative Data Stream (ADS), Living Off The Land technique and YouTube for hosting content
SonicWall RTDMI ™ engine has recently detected a LNK file inside an archive which delivers Astaroth Trojan to the victim’s machine. Archive file contains malicious LNK file has shown below:
LNK file contains an obfuscated command which uses EXPLORER.EXE to execute malicious JavaScript embedded in remote Uniform Resource Locator (URL):
Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:
JavaScript Analysis:
JavaScript contains 10 different URLs to download malicious files. It generates a random number to select a URL from the list. If the selected URL is not active, it will again generate a random number to select a URL in next iteration:
JavaScript creates a directory C:\Users\Public\Libraries\trust and downloads below files from the selected URL using Bitsadmin tool:
- landoqeahjkya.jpg
- landoqeahjkyb.jpg
- landoqeahjkyc.jpg
- landoqeahjkydwwn.gif
- landoqeahjkydx.gif
- landoqeahjkyg.gif
- landoqeahjkygx.gif
- landoqeahjkyi.gif
- landoqeahjkyxa.~
- landoqeahjkyxb.~
- landoqeahjky64a.dll
- landoqeahjky64b.dll
JavaScript immediately moves downloaded file into the Alternative Data Steam of desktop.ini, except landoqeahjky64a.dll and landoqeahjky64b.dll.
“Alternative Data Stream (ADS) is a feature of New Technology File System (NTFS) in Windows to store metadata for a specific file”
Alternative Data Streams of desktop.ini have been shown below using Streams tool:
JavaScript combines content from landoqeahjky64a.dll and landoqeahjky64b.dll to construct a valid Dynamic Link Library (DLL) and copies it to below files:
- landoqeahjky64.dll
- mozcrt19.dll
- mozsqlite3.dll
- sqlite3.dll
JavaScript writes “145_MULT1T3SL4S_” to r1.log file. It uses ExtExport.exe which is part of Windows Internet Explorer, to load one of the above DLL file. The loaded DLL belongs to Astaroth malware family:
Astaroth Analysis:
Astaroth is an information stealer which is primarily affecting Brazilian citizens since 2018. This malware prominently known for using Living Off The Land tactics to become invisible from security software.
Once landoqeahjky64.dll is loaded by ExtExport.exe, it combines content from landoqeahjkyxa.~ and landoqeahjkyxb.~ to construct a valid Dynamic Link Library (DLL). The malware uses process hollowing to load the constructed DLL in memory.
The malware looks for the default language of the system. If the default language is not Portuguese, the malware terminates immediately:
The malware reads and decrypts ADS content from desktop.ini:landoqeahjkygx.gif:
The malware uses above decryption logic for all the encrypted files. The same decryption logic was also used in previous version of Astaroth. We can decrypt Astaroth component files using the below code:
The malware searches below files in sequence to the victim’s system:
- C:\Program Files\Diebold\Warsaw\unins000.exe
- C:\Windows\SysWOW64\userinit.exe
- C:\Windows\System32\userinit.exe
The malware finds C:\Windows\System32\userinit.exe and creates a new process to inject ADS content from desktop.ini:landoqeahjkygx.gif:
The malware reads and decrypts DLL file from ADS desktop.ini:landoqeahjkyg.gif, then uses process hollowing to load the decrypted DLL in memory:
The malware checks for below installed antivirus software on victim’s machine:
- AVAST Software
- AVG
- Symantec
- McAfee
- COMODO
- Bitdefender
- ESET
The malware collects system information and saves it into the ADS desktop.ini:auid.log as shown below:
Network:
The malware uses YouTube to host the encrypted content as shown below:
Other Component:
The malware contains below well known files:
WebBrowserPassView by NirSoft: It is a password recovery tool that reveals the passwords stored by browsers.
Mail Password Recovery by Nirsoft: It is a password-recovery tool that reveals the passwords and other account details for email clients.
Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file:
