A cybercriminal group behind the Astaroth trojan has launched a new phishing campaign aimed at Brazilian users that leverages legitimate services to bypass email, endpoint and network defenses. The notable part of this operation is that it uses trusted sources such as Facebook and YouTube profiles to cover the malicious activity.

“The complex chain of events that leads to the successful installation of the Astaroth Trojan all starts with an .htm file attached to an email. There are numerous stages within this infection chain that could have been stopped with properly layered defenses on the email and network security stack. However, at each step of the infection, this campaign uses trusted sources and the end user to help advance to the next stage, ultimately leading to an eventual exfiltration of sensitive information,” explained Cofense Intelligence team in a report detailing the new campaign.

The Astaroth trojan also leverages legitimate Microsoft Windows services to help propagate and deliver the payloads, as well as Cloudflare workers (JavaScript execution environment) to download modules and payloads - thus bypassing implemented network security measures.

In this recent campaign the attackers used three differed kind of emails written in Portuguese, one using an invoice theme, another with show ticket theme and a third one using civil lawsuit theme.

After the victim has clicked on the attachment, the .HTM file downloads a .ZIP archive that contains a malicious .LNK file, which, in turn, downloads a JavaScript from a Cloudflare workers domain. The JavaScript then downloads multiple files that are used to help obfuscate and execute a sample of the Astaroth information stealer. Among the files downloaded are two .DLL files that are joined together and side-loaded into a legitimate program named ‘C:\Program Files\Internet Explorer\ExtExport.exe’.

“Using a legitimate program to run the two-part malicious code that was downloaded from a trusted source helps to bypass security measures such as antivirus (AV), application white-listing, and URL filtering,” the researchers wrote.

After ExtExport.exe is running with the malicious code side-loaded, the script uses a technique known as process hollowing to infect a legitimate program with yet more malicious code. This technique is used by the attackers to inject malicious code retrieved from multiple files downloaded by the earlier JavaScript.

The researchers also noted that the Astaroth trojan used in this campaign uses Youtube and Facebook profiles to host and maintain the C2 configuration data. The C2 data are encoded in base64 format as well as custom encrypted and is inserted within posts on Facebook or within the profile information of user accounts on YouTube allowing the attackers to bypass network security measures like content filtering.

Once the C2 information is gathered, Astaroth then proceeds to collect sensitive data, including financial information, stored passwords in the browser, email client credentials, SSH credentials, and more. The information gathered by the malware is encrypted with two layers of encryiption and sent via HTTPS POST to a site from the C2 list (the majority of the sites are hosted on Appspot).

“Astaroth’s complex infection chain targeting Brazilian citizens shows the value in layered defense as well as education of the end user. At each step, the security stack could have made an impact to stop the infection chain; however, through the use of legitimate processes and outside trusted sources, Astaroth was able to negate those defensive measures,” the researchers added.