Astaroth latest variant using Alternative Data Stream , Living Off The Land technique and YouTube for hosting content
SonicWall RTDMI ™ engine has recently detected a LNK file inside an archive which delivers Astaroth Trojan to the victim’s machine. Archive file contains malicious LNK file has shown below:
Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:
“Alternative Data Stream (ADS) is a feature of New Technology File System (NTFS) in Windows to store metadata for a specific file”
Alternative Data Streams of desktop.ini have been shown below using Streams tool:
Astaroth is an information stealer which is primarily affecting Brazilian citizens since 2018. This malware prominently known for using Living Off The Land tactics to become invisible from security software.
Once landoqeahjky64.dll is loaded by ExtExport.exe, it combines content from landoqeahjkyxa.~ and landoqeahjkyxb.~ to construct a valid Dynamic Link Library (DLL). The malware uses process hollowing to load the constructed DLL in memory.
The malware looks for the default language of the system. If the default language is not Portuguese, the malware terminates immediately:
The malware reads and decrypts ADS content from desktop.ini:landoqeahjkygx.gif:
The malware uses above decryption logic for all the encrypted files. The same decryption logic was also used in previous version of Astaroth. We can decrypt Astaroth component files using the below code:
The malware searches below files in sequence to the victim’s system:
- C:\Program Files\Diebold\Warsaw\unins000.exe
The malware finds C:\Windows\System32\userinit.exe and creates a new process to inject ADS content from desktop.ini:landoqeahjkygx.gif:
The malware reads and decrypts DLL file from ADS desktop.ini:landoqeahjkyg.gif, then uses process hollowing to load the decrypted DLL in memory:
The malware checks for below installed antivirus software on victim’s machine:
- AVAST Software
The malware collects system information and saves it into the ADS desktop.ini:auid.log as shown below:
The malware uses YouTube to host the encrypted content as shown below:
The malware contains below well known files:
WebBrowserPassView by NirSoft: It is a password recovery tool that reveals the passwords stored by browsers.
Mail Password Recovery by Nirsoft: It is a password-recovery tool that reveals the passwords and other account details for email clients.
Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file: