The attach chain appears to be very complex and starts with phishing messages that come with an .htm file attached. At each step of the infection process, threat actors leverage trusted sources and the interaction of the end-user. At every turn in the infection chain, the malware uses legitimate services to evade detection.
The Astaroth Trojan was first spotted by security firm Cofense in late 2018 when it was involved in a campaign targeting Europe and Brazil. The malware
In the recent campaign, the experts observed three differed kind of emails written in Portuguese used in this phishing campaign, one using an invoice theme, another with show ticket theme and a third one using civil lawsuit theme.
Among the files downloaded in the infection process there are two .DLL files that are joined together into a legitimate program named ‘C:\Program Files\Internet Explorer\ExtExport.exe.’
The use of a legitimate program to run the malicious code resulting from the union of the two DLLs downloaded from a trusted source allows bypassing security measures.
The experts noticed that the Astaroth Trojan involved in this campaign uses YouTube and Facebook profiles to host and maintain the C2 configuration data.
The C2 data are encoded in base64 format as well as custom encrypted, attackers inserted them within posts on Facebook or the profile information about user accounts on YouTube. This trick allows the attackers to bypass content filtering and other network security measures.
“The threat actors are also able to dynamically change the content within these trusted sources so they can deter the possibility of their infrastructure being taken down.” continues the researchers.
The Astaroth storage is able to steal sensitive information, including financial information, stored passwords in the browser, email client credentials, SSH credentials. The information gathered by the malware is encrypted with two layers of encryption and sent via HTTPS POST to a site from the C2 list, experts noticed that most of the sites are hosted on Appspot.
This phishing campaign exclusively targets Brazilians, the experts noticed that the initial .ZIP archive geo-fenced to Brazil.
However, experts warn that attackers could expand their activities to other countries using similar tactics.