Ostap
The Ostap downloader is a JavaScript-based threat that was recently used in combination with the TrickBot malware. The purpose of the downloader is to examine the compromised system and evade anti-malware software silently. If these two tasks are accomplished without any issues, the Ostap downloader may proceed to connect a remote command server, fetch the payload, and deploy it to the compromised host. So far, the Ostap downloader has been used exclusively with the TrickBot Trojan, but it is very likely that it will be used to power other malicious campaigns in the future.
Ostap's Authors Turn to JavaScript
Often, cybercriminals rely on basic downloaders that make use of PowerShell commands and obfuscated VBA (Visual Basic for Applications) scripts. However, Ostap is different because it is written entirely in JavaScript. In addition to this, the obfuscation techniques used by its authors are impressive, to say the least – some of the detected samples contained over 36,000 lines of junk code that is meant to confuse automated script analysis tools. Examining the code manually can be very difficult as well, since just a dozen of these lines of code matter, while the rest are either useless or are used to obfuscate the important bits of the script.
TrickBot is Ostap's #1 Payload Currently
The campaign involving Ostap and TrickBot relies on phishing emails that are disguised as a purchase notice, and carry a '.DOCM' attachment that is packed with a malicious macro-script. When the file is opened, it will trigger the code that attempts to launch the JavaScript file holding the Ostap downloader. The downloader will not immediately get to work and, instead, it will first run basic system checks to ensure that it is not being run in a sandbox environment. Thanks to the obfuscation tricks used by the Ostap's authors, the downloader appears to be able to evade basic antivirus software with ease.
The type of documents used to deliver the Ostap downloader leads researchers to believe that the attackers' primary targets might be retailers and businesses. It is recommended to ensure the security of your computers by using a reliable and regularly updated antivirus tool.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.