October 2, 2018 By Douglas Bonderud 2 min read

A new wave of Astaroth Trojan malware has resurfaced in South America, with more than 8,000 machines attacked in just one week.

According to the Cofense Phishing Defense Center, the Trojan used fake invoice emails with .lnk attachments that appeared to come from legitimate services under cam.br domains. It specifically targeted South American businesses — any attacks that detected an IP address outside of this geographic area were aborted.

If South American targets clicked on the provided link, Astaroth — the “Great Duke of Hell” in ancient lore — leveraged the Windows Management Instrumentation Console (WMIC) and its connected command-line interface to download nonlocal payloads with .xsl extensions.

Because the WMIC was run in noninteractive mode, users were typically unaware of the compromise. The malware then prevented users from opening any web browser except Internet Explorer, and when users navigated to Brazilian banks or businesses, it began recording keystrokes for data collection and account compromise.

How Does Astaroth Avoid Detection?

Astaroth first emerged in 2017, but Cofense noted that the revived campaign “has been well planned and supported, exclusively targeting South Americans.”

Despite its limited radius, however, the Trojan malware presents real concerns for organizations. To evade detection, the malware uses a randomly selected domain from a list of 154 in-code options. All the domains were hosted on Cloudflare, making it difficult to immediately identify them as malicious. This also made it hard for companies to effectively block Astaroth payloads due to the sheer number of legitimate domains associated with Cloudflare.

Furthermore, given the utility of the WMIC in managing Windows hosts, it remains a popular tool for corporate administrators — making it the ideal vehicle for Astaroth. It also makes it difficult for companies to avoid infection, since the WMIC is often a key part of day-to-day operations.

How to Protect Your Organization From Trojan Malware

To avoid Astaroth, IBM X-Force Exchange recommends implementing a separate verification process for email attachments. This could take the form of texts, phone calls or other secure communications. If users can easily verify that unexpected emails were not sent by legitimate vendors or clients, they can delete them instead of potentially exposing systems to risk.

Security professionals also suggest using continuous backup solutions coupled with regular account monitoring to limit the impact of data-stealing Trojan malware and prevent keyloggers from stealing password and login data.

Source: Cofense Phishing Defense Center

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today