by Harshil Patel and Prabudh Chakravorty
*EDITOR’S NOTE: Particular thanks to the GitHub crew for working with us on this analysis. All malicious GitHub repositories talked about within the following analysis have been reported to GitHub and brought down.
Digital banking has made our lives simpler, nevertheless it’s additionally handed cybercriminals a golden alternative. Banking trojans are the invisible pickpockets of the digital age, silently stealing credentials when you browse your checking account or verify your crypto pockets. Right this moment, we’re breaking down a very nasty variant known as Astaroth, and it’s doing one thing intelligent: abusing GitHub to remain resilient.
McAfee’s Menace Analysis crew not too long ago uncovered a brand new Astaroth marketing campaign that’s taken infrastructure abuse to a brand new stage. As an alternative of relying solely on conventional command-and-control (C2) servers that may be taken down, these attackers are leveraging GitHub repositories to host malware configurations. When regulation enforcement or safety researchers shut down their C2 infrastructure, Astaroth merely pulls recent configurations from GitHub and retains operating. Consider it like a felony who retains backup keys to your home hidden across the neighborhood. Even when you change your locks, they’ve acquired one other manner in.
Key Findings
- McAfee not too long ago found a brand new Astaroth marketing campaign abusing GitHub to host malware configurations.
- An infection begins with a phishing e-mail containing a hyperlink that downloads a zipped Home windows shortcut (.lnk) file. When executed, it installs Astaroth malware on the system.
- Astaroth detects when customers entry a banking/cryptocurrency web site and steals the credentials utilizing keylogging.
- It sends the stolen info to the attacker utilizing the Ngrok reverse proxy.
- Astaroth makes use of GitHub to replace its configuration when the C2 servers develop into inaccessible, by internet hosting photos on GitHub which makes use of steganography to cover this info in plain sight.
- The GitHub repositories have been reported to GitHub and are taken down.
Key Takeaways
- Don’t open attachments and hyperlinks in emails from unknown sources.
- Use 2 issue authentication (2FA) on banking web sites the place doable.
- Hold your antivirus updated.
Geographical Prevalence
Astaroth is able to focusing on many South American nations like Brazil, Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama. It might probably additionally goal Portugal and Italy.
However within the latest marketing campaign, it appears to be largely targeted on Brazil.
Determine 1: Geographical Prevalence
Conclusion
Astaroth is a password-stealing malware household that targets South America. The malware leverages GitHub to host configuration information, treating the platform as resilient backup infrastructure when main C2 servers develop into inaccessible. McAfee reported the findings to GitHub and labored with their safety analysis crew to take away the malicious repositories, briefly disrupting operations.
Technical Evaluation
Determine 2 : An infection chain
Phishing Electronic mail
The assault begins with an e-mail to the sufferer which accommodates a hyperlink to a website that downloads a zipper file. Emails with themes equivalent to DocuSign and resumes are used to lure the victims into downloading a zipper file.
Determine 3: Phishing Electronic mail
Determine 4: Phishing Electronic mail
Determine 5: Phishing Electronic mail
JavaScript Downloader
The downloaded zip file accommodates a LNK file, which has obfuscated javascript command run utilizing mshta.exe.
This command merely fetches extra javascript code from the next URL:
To impede evaluation, all of the hyperlinks are geo-restricted, such that they’ll solely be accessed from the focused geography.
The downloaded javascript then downloads a set of information in ProgramData from a randomly chosen server:
Determine 6: Downloaded Information
Right here,
”Corsair.Yoga.06342.8476.366.log” is AutoIT compiled script, “Corsair.Yoga.06342.8476.366.exe” is AutoIT interpreter,
“stack.tmp” is an encrypted payload (Astaroth),
and “dump.log” is an encrypted malware configuration.
AutoIt script is executed by javascript, which builds and masses a shellcode within the reminiscence of AutoIT course of.
Shellcode Evaluation
Determine 7: AutoIt script constructing shellcode
The shellcode has 3 entrypoints and $LOADOFFSET is the one utilizing which it masses a DLL in reminiscence.
To run the shellcode the script hooks Kernel32: LocalCompact, and makes it soar to the entrypoint.
Determine 8: Hooking LocalCompact API
Shellcode’s $LOADOFFSET begins by resolving a set of APIs which are used for loading a DLL in memory. The API addresses are saved in a soar desk on the very beginning of the shellcode reminiscence.
Determine 9: APIs resolved by shellcode
Right here shellcode is made to load a DLL file(Delphi) and this DLL decrypts and injects the ultimate payload into newly created RegSvc.exe course of.
Payload Evaluation
The payload, Astaroth malware is written in Delphi and makes use of varied anti-analysis methods and shuts down the system if it detects that it’s being analyzed.
It checks for the next instruments within the system:
Determine 10: Listing of research instruments
It additionally makes positive that system locale is just not associated to the USA or English.
Each second it checks for program home windows like browsers, if that window is in foreground and has a banking associated website opened then it hooks keyboard occasions to get keystrokes.
Determine 11: Hooking keyboard occasions
Packages are focused if they’ve a window class title containing chrome, ieframe, mozilla, xoff, xdesk, xtrava or sunawtframe.
Many banking-related websites are focused, a few of that are talked about beneath:
caixa.gov.br
safra.com.br
Itau.com.br
bancooriginal.com.br
santandernet.com.br
btgpactual.com
We additionally noticed some cryptocurrency-related websites being focused:
etherscan.io
binance.com
bitcointrade.com.br
metamask.io
foxbit.com.br
localbitcoins.com
C2 Communication & Infrastructure
The stolen banking credentials and different info are despatched to C2 server utilizing a customized binary protocol.
Determine 12: C2 communication
Astaroth’s C2 infrastructure and malware configuration are depicted beneath.
Determine 13: C2 infrastructure
Malware config is retailerd in dump.log encrypted, following is the data saved in it:
Determine 14: Malware configuration
Each 2 hours the configuration is up to date by fetching a picture file from config replace URLs and extracting the hidden configuration from the picture.
hxxps://bit[.]ly/4gf4E7H —> hxxps://uncooked.githubusercontent[.]com//dridex2024//razeronline//refs/heads/primary/razerlimpa[.]png
Picture file retains the configuration hidden by storing it within the following format:
We discovered extra such GitHub repositories having picture information with above sample and reported them to GitHub, which they’ve taken down.
Persistence Mechanism
For persistence, Astaroth drops a LNK file in startup folder which runs the AutoIT script to launch the malware when the system begins.
McAfee Protection
McAfee has intensive protection for Astaroth:
Trojan:Shortcut/SuspiciousLNK.OSRT
Trojan:Shortcut/Astaroth.OJS
Trojan:Script/Astaroth.DL
Trojan:Script/Astaroth.AI
Trojan:Script/AutoITLoader.LC!2
Trojan:Shortcut/Astaroth.STUP
Indicator Of Compromise(s)
| IOC | Hash / URL |
| Electronic mail | 7418ffa31f8a51a04274fc8f610fa4d5aa5758746617020ee57493546ae35b70 7609973939b46fe13266eacd1f06b533f8991337d6334c15ab78e28fa3b320be 11f0d7e18f9a2913d2480b6a6955ebc92e40434ad11bed62d1ff81ddd3dda945 |
| ZIP URL | https://91.220.167.72.host.secureserver[.]web/peHg4yDUYgzNeAvm5.zip |
| LNK | 34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df |
| JS Downloader | 28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c |
| Obtain server | clafenval.medicarium[.]assist sprudiz.medicinatramp[.]click on frecil.medicinatramp[.]magnificence stroal.medicoassocidos[.]magnificence strosonvaz.medicoassocidos[.]assist gluminal188.trovaodoceara[.]sbs scrivinlinfer.medicinatramp[.]icu trisinsil.medicesterium[.]assist brusar.trovaodoceara[.]autos gramgunvel.medicoassocidos[.]magnificence blojannindor0.trovaodoceara[.]bikes |
| AutoIT compiled script | a235d2e44ea87e5764c66247e80a1c518c38a7395291ce7037f877a968c7b42b |
| Injector dll | db9d00f30e7df4d0cf10cee8c49ee59a6b2e518107fd6504475e99bbcf6cce34 |
| payload | 251cde68c30c7d303221207370c314362f4adccdd5db4533a67bedc2dc1e6195 |
| Startup LNK | 049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43 |
| C2 server | 1.tcp.sa.ngrok[.]io:20262 1.tcp.us-cal-1.ngrok[.]io:24521 5.tcp.ngrok[.]io:22934 7.tcp.ngrok[.]io:22426 9.tcp.ngrok[.]io:23955 9.tcp.ngrok[.]io:24080 |
| Config replace URL | https://bit[.]ly/49mKne9 https://bit[.]ly/4gf4E7H https://uncooked.githubusercontent[.]com/dridex2024/razeronline/refs/heads/primary/razerlimpa.png |
| GitHub Repositories internet hosting config photos | https://github[.]com/dridex2024/razeronline https://github[.]com/Config2023/01atk-83567z https://github[.]com/S20x/m25 https://github[.]com/Tami1010/base https://github[.]com/balancinho1/balaco https://github[.]com/fernandolopes201/675878fvfsv2231im2 https://github[.]com/polarbearfish/fishbom https://github[.]com/polarbearultra/amendointorrado https://github[.]com/projetonovo52/grasp https://github[.]com/vaicurintha/gol |
