The Astaroth campaign begins with a spam email containing a link to a website hosting a malicious .LNK file.
There have been Astaroth campaigns in the US, Europe, and Asia in 2019. The vast majority of attacks in February 2020 are aimed at Windows users in Brazil, according to Microsoft. Hence, the initial spam email is written in Portuguese but translates to: “Please find in the link below the STATEMENT #56704/2019 AND LEGAL DECISION, for due purposes”. The link an archive file labeled, Arquivo_PDF_.zip.
If a recipient clicks on the .LNK file, which is contained within a .zip file, it runs an obfuscated BAT command line, which drops a JavaScript file to the Pictures folder and instructs explorer.exe – a utility that ships with Internet Explorer – to run the file which reads and decrypts several plugins from ADS streams in desktop.ini that allow Astaroth to steal email and browser passwords as well as find and disable installed security software.
The attack goes undetected because Astaroth use legitimate windows tools to perform their attack, once the .LNK file has been launched. Therefore it is very important that you are able to see the extension at the end of the file name on your system. Please contact me if you can’t enable this function.
We come to you
7 Days a Week
7 Days a Week