The Astaroth campaign begins with a spam email containing a link to a website hosting a malicious .LNK file.
There have been Astaroth campaigns in the US, Europe, and Asia in 2019. The vast majority of attacks in February 2020 are aimed at Windows users in Brazil, according to Microsoft. Hence, the initial spam email is written in Portuguese but translates to: "Please find in the link below the STATEMENT #56704/2019 AND LEGAL DECISION, for due purposes". The link an archive file labeled, Arquivo_PDF_.zip.
If a recipient clicks on the .LNK file, which is contained within a .zip file, it runs an obfuscated BAT command line, which drops a JavaScript file to the Pictures folder and instructs explorer.exe – a utility that ships with Internet Explorer – to run the file which reads and decrypts several plugins from ADS streams in desktop.ini that allow Astaroth to steal email and browser passwords as well as find and disable installed security software.
The attack goes undetected because Astaroth use legitimate windows tools to perform their attack, once the .LNK file has been launched. Therefore it is very important that you are able to see the extension at the end of the file name on your system. Please contact me if you can't enable this function.
Really responsive, very knowledgeable about the subject matter and incredibly helpful.
I have, for about 10 years used Lesley's services to keep my personal computer system up to date and functioning to my full satisfaction. He has advised me on the appropriate hardware and software to meet my needs, he always responded quickly to any occurring issues, I am totally comfortable giving Lesley remote access to my system when the need arises, it is a pleasure to deal with him.