by Harshil Patel and Prabudh Chakravorty
*EDITOR’S NOTE: Particular thanks to the GitHub staff for working with us on this analysis. All malicious GitHub repositories talked about within the following analysis have been reported to GitHub and brought down.
Digital banking has made our lives simpler, nevertheless it’s additionally handed cybercriminals a golden alternative. Banking trojans are the invisible pickpockets of the digital age, silently stealing credentials whilst you browse your checking account or examine your crypto pockets. At the moment, we’re breaking down a very nasty variant known as Astaroth, and it’s doing one thing intelligent: abusing GitHub to remain resilient.
McAfee’s Risk Analysis staff just lately uncovered a brand new Astaroth marketing campaign that’s taken infrastructure abuse to a brand new stage. As an alternative of relying solely on conventional command-and-control (C2) servers that may be taken down, these attackers are leveraging GitHub repositories to host malware configurations. When regulation enforcement or safety researchers shut down their C2 infrastructure, Astaroth merely pulls recent configurations from GitHub and retains operating. Consider it like a prison who retains backup keys to your own home hidden across the neighborhood. Even in the event you change your locks, they’ve acquired one other manner in.
Key Findings
- McAfee just lately found a brand new Astaroth marketing campaign abusing GitHub to host malware configurations.
- An infection begins with a phishing electronic mail containing a hyperlink that downloads a zipped Home windows shortcut (.lnk) file. When executed, it installs Astaroth malware on the system.
- Astaroth detects when customers entry a banking/cryptocurrency web site and steals the credentials utilizing keylogging.
- It sends the stolen info to the attacker utilizing the Ngrok reverse proxy.
- Astaroth makes use of GitHub to replace its configuration when the C2 servers grow to be inaccessible, by internet hosting pictures on GitHub which makes use of steganography to cover this info in plain sight.
- The GitHub repositories had been reported to GitHub and are taken down.
Key Takeaways
- Don’t open attachments and hyperlinks in emails from unknown sources.
- Use 2 issue authentication (2FA) on banking web sites the place potential.
- Preserve your antivirus updated.
Geographical Prevalence
Astaroth is able to concentrating on many South American nations like Brazil, Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama. It may additionally goal Portugal and Italy.
However within the current marketing campaign, it appears to be largely centered on Brazil.
Determine 1: Geographical Prevalence
Conclusion
Astaroth is a password-stealing malware household that targets South America. The malware leverages GitHub to host configuration information, treating the platform as resilient backup infrastructure when major C2 servers grow to be inaccessible. McAfee reported the findings to GitHub and labored with their safety analysis staff to take away the malicious repositories, briefly disrupting operations.
Technical Evaluation
Determine 2 : An infection chain
Phishing E mail
The assault begins with an e-mail to the sufferer which comprises a hyperlink to a web site that downloads a zipper file. Emails with themes reminiscent of DocuSign and resumes are used to lure the victims into downloading a zipper file.
Determine 3: Phishing E mail
Determine 4: Phishing E mail
Determine 5: Phishing E mail
JavaScript Downloader
The downloaded zip file comprises a LNK file, which has obfuscated javascript command run utilizing mshta.exe.
This command merely fetches extra javascript code from the next URL:
To impede evaluation, all of the hyperlinks are geo-restricted, such that they’ll solely be accessed from the focused geography.
The downloaded javascript then downloads a set of information in ProgramData from a randomly chosen server:
Determine 6: Downloaded Recordsdata
Right here,
”Corsair.Yoga.06342.8476.366.log” is AutoIT compiled script, “Corsair.Yoga.06342.8476.366.exe” is AutoIT interpreter,
“stack.tmp” is an encrypted payload (Astaroth),
and “dump.log” is an encrypted malware configuration.
AutoIt script is executed by javascript, which builds and hundreds a shellcode within the reminiscence of AutoIT course of.
Shellcode Evaluation
Determine 7: AutoIt script constructing shellcode
The shellcode has 3 entrypoints and $LOADOFFSET is the one utilizing which it hundreds a DLL in reminiscence.
To run the shellcode the script hooks Kernel32: LocalCompact, and makes it bounce to the entrypoint.
Determine 8: Hooking LocalCompact API
Shellcode’s $LOADOFFSET begins by resolving a set of APIs which might be used for loading a DLL in memory. The API addresses are saved in a bounce desk on the very beginning of the shellcode reminiscence.
Determine 9: APIs resolved by shellcode
Right here shellcode is made to load a DLL file(Delphi) and this DLL decrypts and injects the ultimate payload into newly created RegSvc.exe course of.
Payload Evaluation
The payload, Astaroth malware is written in Delphi and makes use of varied anti-analysis methods and shuts down the system if it detects that it’s being analyzed.
It checks for the next instruments within the system:
Determine 10: Checklist of study instruments
It additionally makes certain that system locale isn’t associated to america or English.
Each second it checks for program home windows like browsers, if that window is in foreground and has a banking associated web site opened then it hooks keyboard occasions to get keystrokes.
Determine 11: Hooking keyboard occasions
Applications are focused if they’ve a window class identify containing chrome, ieframe, mozilla, xoff, xdesk, xtrava or sunawtframe.
Many banking-related websites are focused, a few of that are talked about under:
caixa.gov.br
safra.com.br
Itau.com.br
bancooriginal.com.br
santandernet.com.br
btgpactual.com
We additionally noticed some cryptocurrency-related websites being focused:
etherscan.io
binance.com
bitcointrade.com.br
metamask.io
foxbit.com.br
localbitcoins.com
C2 Communication & Infrastructure
The stolen banking credentials and different info are despatched to C2 server utilizing a customized binary protocol.
Determine 12: C2 communication
Astaroth’s C2 infrastructure and malware configuration are depicted under.
Determine 13: C2 infrastructure
Malware config is retailerd in dump.log encrypted, following is the knowledge saved in it:
Determine 14: Malware configuration
Each 2 hours the configuration is up to date by fetching a picture file from config replace URLs and extracting the hidden configuration from the picture.
hxxps://bit[.]ly/4gf4E7H —> hxxps://uncooked.githubusercontent[.]com//dridex2024//razeronline//refs/heads/most important/razerlimpa[.]png
Picture file retains the configuration hidden by storing it within the following format:
We discovered extra such GitHub repositories having picture information with above sample and reported them to GitHub, which they’ve taken down.
Persistence Mechanism
For persistence, Astaroth drops a LNK file in startup folder which runs the AutoIT script to launch the malware when the system begins.
McAfee Protection
McAfee has intensive protection for Astaroth:
Trojan:Shortcut/SuspiciousLNK.OSRT
Trojan:Shortcut/Astaroth.OJS
Trojan:Script/Astaroth.DL
Trojan:Script/Astaroth.AI
Trojan:Script/AutoITLoader.LC!2
Trojan:Shortcut/Astaroth.STUP
Indicator Of Compromise(s)
| IOC | Hash / URL |
| E mail | 7418ffa31f8a51a04274fc8f610fa4d5aa5758746617020ee57493546ae35b70 7609973939b46fe13266eacd1f06b533f8991337d6334c15ab78e28fa3b320be 11f0d7e18f9a2913d2480b6a6955ebc92e40434ad11bed62d1ff81ddd3dda945 |
| ZIP URL | https://91.220.167.72.host.secureserver[.]web/peHg4yDUYgzNeAvm5.zip |
| LNK | 34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df |
| JS Downloader | 28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c |
| Obtain server | clafenval.medicarium[.]assist sprudiz.medicinatramp[.]click on frecil.medicinatramp[.]magnificence stroal.medicoassocidos[.]magnificence strosonvaz.medicoassocidos[.]assist gluminal188.trovaodoceara[.]sbs scrivinlinfer.medicinatramp[.]icu trisinsil.medicesterium[.]assist brusar.trovaodoceara[.]autos gramgunvel.medicoassocidos[.]magnificence blojannindor0.trovaodoceara[.]bikes |
| AutoIT compiled script | a235d2e44ea87e5764c66247e80a1c518c38a7395291ce7037f877a968c7b42b |
| Injector dll | db9d00f30e7df4d0cf10cee8c49ee59a6b2e518107fd6504475e99bbcf6cce34 |
| payload | 251cde68c30c7d303221207370c314362f4adccdd5db4533a67bedc2dc1e6195 |
| Startup LNK | 049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43 |
| C2 server | 1.tcp.sa.ngrok[.]io:20262 1.tcp.us-cal-1.ngrok[.]io:24521 5.tcp.ngrok[.]io:22934 7.tcp.ngrok[.]io:22426 9.tcp.ngrok[.]io:23955 9.tcp.ngrok[.]io:24080 |
| Config replace URL | https://bit[.]ly/49mKne9 https://bit[.]ly/4gf4E7H https://uncooked.githubusercontent[.]com/dridex2024/razeronline/refs/heads/most important/razerlimpa.png |
| GitHub Repositories internet hosting config pictures | https://github[.]com/dridex2024/razeronline https://github[.]com/Config2023/01atk-83567z https://github[.]com/S20x/m25 https://github[.]com/Tami1010/base https://github[.]com/balancinho1/balaco https://github[.]com/fernandolopes201/675878fvfsv2231im2 https://github[.]com/polarbearfish/fishbom https://github[.]com/polarbearultra/amendointorrado https://github[.]com/projetonovo52/grasp https://github[.]com/vaicurintha/gol |
