16 September 2019

Astaroth info stealing trojan uses Facebook, YouTube profiles to avoid detection


Astaroth info stealing trojan uses Facebook, YouTube profiles to avoid detection

A cybercriminal group behind the Astaroth trojan has launched a new phishing campaign aimed at Brazilian users that leverages legitimate services to bypass email, endpoint and network defenses. The notable part of this operation is that it uses trusted sources such as Facebook and YouTube profiles to cover the malicious activity.

“The complex chain of events that leads to the successful installation of the Astaroth Trojan all starts with an .htm file attached to an email. There are numerous stages within this infection chain that could have been stopped with properly layered defenses on the email and network security stack. However, at each step of the infection, this campaign uses trusted sources and the end user to help advance to the next stage, ultimately leading to an eventual exfiltration of sensitive information,” explained Cofense Intelligence team in a report detailing the new campaign.

The Astaroth trojan also leverages legitimate Microsoft Windows services to help propagate and deliver the payloads, as well as Cloudflare workers (JavaScript execution environment) to download modules and payloads - thus bypassing implemented network security measures.

In this recent campaign the attackers used three differed kind of emails written in Portuguese, one using an invoice theme, another with show ticket theme and a third one using civil lawsuit theme.

After the victim has clicked on the attachment, the .HTM file downloads a .ZIP archive that contains a malicious .LNK file, which, in turn, downloads a JavaScript from a Cloudflare workers domain. The JavaScript then downloads multiple files that are used to help obfuscate and execute a sample of the Astaroth information stealer. Among the files downloaded are two .DLL files that are joined together and side-loaded into a legitimate program named ‘C:\Program Files\Internet Explorer\ExtExport.exe’.

“Using a legitimate program to run the two-part malicious code that was downloaded from a trusted source helps to bypass security measures such as antivirus (AV), application white-listing, and URL filtering,” the researchers wrote.

After ExtExport.exe is running with the malicious code side-loaded, the script uses a technique known as process hollowing to infect a legitimate program with yet more malicious code. This technique is used by the attackers to inject malicious code retrieved from multiple files downloaded by the earlier JavaScript.

The researchers also noted that the Astaroth trojan used in this campaign uses Youtube and Facebook profiles to host and maintain the C2 configuration data. The C2 data are encoded in base64 format as well as custom encrypted and is inserted within posts on Facebook or within the profile information of user accounts on YouTube allowing the attackers to bypass network security measures like content filtering.

Once the C2 information is gathered, Astaroth then proceeds to collect sensitive data, including financial information, stored passwords in the browser, email client credentials, SSH credentials, and more. The information gathered by the malware is encrypted with two layers of encryiption and sent via HTTPS POST to a site from the C2 list (the majority of the sites are hosted on Appspot).

“Astaroth’s complex infection chain targeting Brazilian citizens shows the value in layered defense as well as education of the end user. At each step, the security stack could have made an impact to stop the infection chain; however, through the use of legitimate processes and outside trusted sources, Astaroth was able to negate those defensive measures,” the researchers added.

Back to the list

Latest Posts

New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

Devices from Amazon, Apple, Google, and Samsung as well as some access points by Asus and Huawei, are found to be vulnerable to Kr00k.
27 February 2020
‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

The attack involves piggybacking C2 traffic on a legitimate traffic, thus allowing to bypass firewalls.
26 February 2020
PayPal customers hit with fraudulent charges via Google Pay

PayPal customers hit with fraudulent charges via Google Pay

It's not clear what vulnerability is being exploited, but the issue may be related to a bug reported to PayPal a year ago.
25 February 2020