Astrum is a relatively old exploit kit (EK) that is also known as Stegano EK. We noted in January 2017 how Stegano/Astrum had reappeared in recent months and talked about how Traps protects against it.
Since then, researchers have seen Astrum updated with new specific countermeasures that target security products and seek to evade detection, making it one of the most evolved threats out there today.
How Does It Work?
Astrum is currently being used as part of the AdGholas malvertising campaign. The AdGholas campaign uses malicious scripts in banner ads on legitimate websites. The malicious scripts direct users to an Astrum exploit kit server behind the scenes which then attacks the user’s system.
Astrum uses malicious Adobe Flash files that attempt to exploit vulnerabilities in Adobe Flash Player (CVE-2015-8651, CVE-2016-1019 and CVE-2016-4117) and Microsoft Internet Explorer (CVE‑2016‑0189). While these vulnerabilities have been patched, users with older versions of Flash and missing Microsoft patches are still at risk of successful attacks against them.
If the malicious Flash file is successful, it will download the payload onto the victim’s machine. Astrum has been known to deliver banking Trojans, including Ursnif. However, recent payloads include ransomware and other malware. Most recently, researchers have seen Astrum spreading the Mole ransomware.
Why Is It Unique?
Since March 2017, researchers have seen Astrum updated with tactics that specifically target detection and analysis.
Astrum exploits an information disclosure vulnerability (CVE-2017-0022) to identify and evade antivirus products. Astrum also utilizes Diffie-Hellman key exchange to incorporate an anti-replay feature to prevent security researchers from reviewing and diverting malicious network activity. Further adding to the challenge of detecting and analyzing Astrum is its use of HTTPS to encrypt its traffic.
And finally, Astrum encrypts the malicious Flash file so that the bulk of the malicious content is encrypted and only a small decryption stub is unencrypted. Astrum takes additional steps to defeat decryption in a sandbox environment by making the ability to decrypt the malicious Flash file machine-specific: the file cannot be decrypted anywhere but on the targeted system.
How Do You Stop It?
Taken all together, these recent updates to Astrum result in it thwarting most security protections. Its use of HTTPS challenges firewall-based protections. Its use of encryption for the malicious payload bypasses most traditional signature-based antivirus solutions. And the machine-specific decryption countermeasure thwarts the sandboxing found on many more advanced security products.
With the advanced evasion techniques Astrum utilizes, endpoint security needs real-time protections to stop Astrum on the target system after the malicious Flash file is decrypted but before it successfully executes.
Palo Alto Networks Traps advanced endpoint protection offers DLL security to prevent access to crucial DLL metadata from untrusted code locations. Traps also offers JIT mitigation to prevent JIT code from calling out-of-the-norm operating system functions. Traps offers unique protections against advanced exploitation capabilities, successfully preventing Astrum and exploit kits of its like.
Attackers will try to evade sandboxes and traditional signature-based antivirus in many unique ways, one of which is described above. However, the attacker cannot disguise the actual malicious activity he is trying to deploy. Traps is anti-evasive and not based on signatures and stops the malicious activity itself, which cannot be hidden or replaced.
[Palo Alto Networks Research Center]