Trojan horse malware sounds outdated — like “computer worm” or “floppy disk.” However, Trojan horses still gallop around the web, wreaking havoc on unassuming victims unprepared for their often-devastating attacks. If you thought Trojan horse malware has become an empty threat, think again: These four Trojans continue to lurk behind the gates of the internet, eager to infect your device and do serious damage.
Astaroth
Astaroth just sounds like a Grecian hero waiting inside the bowels of a wooden horse — or else a villain of the sci-fi future who uses digital attacks to cause mayhem. As it turns out, the latter is closer to the truth: Astaroth is a relatively new Trojan first discovered in 2017 — but it has a sinister new strategy.
In the past, Astaroth targeted internet users in South America with a fairly typical attack method. The only notable feature of the Astaroth of the past is that it would scan targeted systems for Avast, one of the most common antivirus programs in the world, and if signs of the software were detected, Astaroth would shut itself down.
However, the new variant discovered this month makes good use of its knowledge of Avast. Instead of running from the antivirus software, Astaroth uses an exploit in the security tool to find its way onto users’ machines. Disguised as a .gif or .jpeg, the malware can slide in undetected and unleash its payload, which logs user keystrokes, intercepts operating system calls and gathers credentials, including passwords.
As yet, the only way to stay safe against Astaroth is to install a different antivirus security program than Avast, ideally from TrendMicro or another big-name infosec firm. Soon enough, Avast should release a patch that ends the exploit, but until that happens, you will be vulnerable to Astaroth.
RogueRobin
Holy cybercrime, Batman! That’s right, in this Trojan, Robin goes rogue and unleashes a horrible malware attack on unsuspecting citizens.
RogueRobin is a Trojan created by black hat hacker group DarkHydrus, a group from the Middle East known for registering typosquatting domains and abusing open-source penetration testing tools. In the last weeks of 2018, DarkHydrus found a backdoor into Google Drive, allowing them to spread a RogueRobin to Drive users through emails.
The Trojan is advanced — which is typical of DarkHydrus attacks. Not only does it create new registry files, altering your device’s operation, but it also employs anti-analysis techniques and anti-debug code, making it especially difficult to identify and eradicate. Thus, the best offense is a good defense: Know that you should never click on attachments from unfamiliar sources or with odd file names or extensions. RogueRobin is currently in Arabic; foreign-language messages should be a big tip-off that you shouldn’t click anything. Cyber hygiene is good to develop early, so you should practice it yourself and teach anyone else in your household good security habits.
Dridex and Gozi
Both Dridex and Gozi are banking Trojans, which means they endeavor to learn users’ online credentials for banks and use them to clean out all checking and savings accounts. As you might expect, banking Trojans are some of the most insidious because they aren’t dealing with mere data but with dollars and cents — plus, there is rarely a way to regain the stolen funds once they are gone.
Dridex works its way onto users’ devices through an email containing a corrupted Microsoft Word attachment. As soon as users open the file, Dridex releases its payload and begins searching for the banking credentials it craves. Dridex has been floating around the web since 2015, and in that time it has stolen an estimated $10 million from U.S. victims and nearly $26 million from victims in the U.K.
Gozi has a similar attack strategy, but instead of using macros in Microsoft Word, it implements web injections from the Windows 10 Edge browser — the successor to Windows Internet Explorer. Like RogueRobin, Gozi was created by a hacking group from Iran, this one called Izz ad-Din al-Qassam; unlike RogueRobin, Gozi is much more active and thus much more dangerous to the average user. Worse, some experts believe that this Trojan doesn’t stop at stealing bank credentials but is amassing a huge botnet to launch against banks in the coming months or years.
In all, Trojan horse malware remains a very real, very big threat to the average device user. Still, as long as you are smart about your browsing and have a strong antivirus software installed on all your devices — even your mobile ones — you should be able to stay safe.
Awesome article!!! In this, Dridex is one my best malware script. It has be founded by Russian hacking group member Yakubets.