Milkyway pic for Astrum EK.jpg

Astrum Exploit Kit, also known as Stegano, was (until recently) exclusively used in the massive AdGholas malvertising campaign, where it distributed several types of malware, including Ursnif and RAMNIT. The AdGholas campaign, discovered in the summer of 2016, was notable for its use of steganography to hide malicious JavaScript code in ads that redirected victims to a cloned version of a legitimate website.

This March, malware researcher Kafeine found a new version of Astrum that exploited CVE-2017-0022. Using CVE-2017-0022, attackers were able to test for the presence of antivirus and malware analysis tools on a victim's computer by exploiting a vulnerability in Microsoft's XML Core Services (MSXML).

It was also updated in April to further evade security researchers by preventing them from replaying malicious network traffic for analysis.

Research suggests that the Astrum EK is not currently being used to target the general public, as the amount of traffic is very low and the payloads are not from well-known malware families.

Enabling any of these new targets to your user policy will add protection against the associated threat to your ThreatSTOP DNS and IP Firewall Services. If you do not have a ThreatSTOP account Sign up for a free trial.

If you do have a ThreatSTOP account, instructions to add targets to DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub, or contact our Support team.