A cybercriminal group behind the Astaroth trojan has launched a new phishing campaign aimed at Brazilian users that leverages legitimate services to bypass email, endpoint and network defenses. The notable part of this operation is that it uses trusted sources such as Facebook and YouTube profiles to cover the malicious activity.
“The complex chain of events that leads to the successful installation of the Astaroth Trojan all starts with an .htm file attached to an email. There are numerous stages within this infection chain that could have been stopped with properly layered defenses on the email and network security stack. However, at each step of the infection, this campaign uses trusted sources and the end user to help advance to the next stage, ultimately leading to an eventual exfiltration of sensitive information,” explained Cofense Intelligence team in a report detailing the new campaign.
In this recent campaign the attackers used three differed kind of emails written in Portuguese, one using an invoice theme, another with show ticket theme and a third one using civil lawsuit theme.
“Using a legitimate program to run the two-part malicious code that was downloaded from a trusted source helps to bypass security measures such as antivirus (AV), application white-listing, and URL filtering,” the researchers wrote.
The researchers also noted that the Astaroth trojan used in this campaign uses Youtube and Facebook profiles to host and maintain the C2 configuration data. The C2 data are encoded in base64 format as well as custom encrypted and is inserted within posts on Facebook or within the profile information of user accounts on YouTube allowing the attackers to bypass network security measures like content filtering.
Once the C2 information is gathered, Astaroth then proceeds to collect sensitive data, including financial information, stored passwords in the browser, email client credentials, SSH credentials, and more. The information gathered by the malware is encrypted with two layers of encryiption and sent via HTTPS POST to a site from the C2 list (the majority of the sites are hosted on Appspot).
“Astaroth’s complex infection chain targeting Brazilian citizens shows the value in layered defense as well as education of the end user. At each step, the security stack could have made an impact to stop the infection chain; however, through the use of legitimate processes and outside trusted sources, Astaroth was able to negate those defensive measures,” the researchers added.