16 September 2019

Astaroth info stealing trojan uses Facebook, YouTube profiles to avoid detection

Astaroth info stealing trojan uses Facebook, YouTube profiles to avoid detection

A cybercriminal group behind the Astaroth trojan has launched a new phishing campaign aimed at Brazilian users that leverages legitimate services to bypass email, endpoint and network defenses. The notable part of this operation is that it uses trusted sources such as Facebook and YouTube profiles to cover the malicious activity.

“The complex chain of events that leads to the successful installation of the Astaroth Trojan all starts with an .htm file attached to an email. There are numerous stages within this infection chain that could have been stopped with properly layered defenses on the email and network security stack. However, at each step of the infection, this campaign uses trusted sources and the end user to help advance to the next stage, ultimately leading to an eventual exfiltration of sensitive information,” explained Cofense Intelligence team in a report detailing the new campaign.

The Astaroth trojan also leverages legitimate Microsoft Windows services to help propagate and deliver the payloads, as well as Cloudflare workers (JavaScript execution environment) to download modules and payloads - thus bypassing implemented network security measures.

In this recent campaign the attackers used three differed kind of emails written in Portuguese, one using an invoice theme, another with show ticket theme and a third one using civil lawsuit theme.

After the victim has clicked on the attachment, the .HTM file downloads a .ZIP archive that contains a malicious .LNK file, which, in turn, downloads a JavaScript from a Cloudflare workers domain. The JavaScript then downloads multiple files that are used to help obfuscate and execute a sample of the Astaroth information stealer. Among the files downloaded are two .DLL files that are joined together and side-loaded into a legitimate program named ‘C:\Program Files\Internet Explorer\ExtExport.exe’.

“Using a legitimate program to run the two-part malicious code that was downloaded from a trusted source helps to bypass security measures such as antivirus (AV), application white-listing, and URL filtering,” the researchers wrote.

After ExtExport.exe is running with the malicious code side-loaded, the script uses a technique known as process hollowing to infect a legitimate program with yet more malicious code. This technique is used by the attackers to inject malicious code retrieved from multiple files downloaded by the earlier JavaScript.

The researchers also noted that the Astaroth trojan used in this campaign uses Youtube and Facebook profiles to host and maintain the C2 configuration data. The C2 data are encoded in base64 format as well as custom encrypted and is inserted within posts on Facebook or within the profile information of user accounts on YouTube allowing the attackers to bypass network security measures like content filtering.

Once the C2 information is gathered, Astaroth then proceeds to collect sensitive data, including financial information, stored passwords in the browser, email client credentials, SSH credentials, and more. The information gathered by the malware is encrypted with two layers of encryiption and sent via HTTPS POST to a site from the C2 list (the majority of the sites are hosted on Appspot).

“Astaroth’s complex infection chain targeting Brazilian citizens shows the value in layered defense as well as education of the end user. At each step, the security stack could have made an impact to stop the infection chain; however, through the use of legitimate processes and outside trusted sources, Astaroth was able to negate those defensive measures,” the researchers added.

Back to the list

Latest Posts

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

The hacking group was planning a "devastating supply-chain attack" against a high-profile Asian mobile hardware and software manufacturer.
15 October 2019
FIN7 cybercriminal group returns with new tools and evasion techniques

FIN7 cybercriminal group returns with new tools and evasion techniques

The researchers discovered a new loader and a module that exploits the legitimate remote administration software used by the ATM maker NCR Corporation.
14 October 2019
New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Featured vulnerabilities
Multiple vulnerabilities in ncurses
High Patched | 15 Oct, 2019
Cross-site scripting in NetCommons3
Low Not Patched | 15 Oct, 2019