By Nick Biasini, Edmund Brumaghin and Nick Lister.Cisco Talos is detailing an information stealer, Astaroth, that has been targeting Brazil with a variety of lures, including COVID-19 for the past nine to 12 months.
Complex maze of obfuscation and anti-analysis/evasion techniques implemented by Astaroth inhibit both detection and analysis of the malware family.
Creative use of YouTube channel descriptions for encoded and encrypted command and control communications (C2) implemented by Astaroth.
What's new?
Astaroth implements a robust series of anti-analysis/evasion techniques, among the most thorough we've seen recently.
Astaroth is effective at evading detection and ensuring, with reasonable certainty, that it is only being installed on systems in Brazil and not on sandboxes and researchers systems.
Novel use of YouTube channels for C2 helps evade detection, by leveraging a commonly used service on commonly used ports.
How did it work?
The user receives an email message that has an effective lure, in this campaign all emails were in Portuguese and targeted Brazilian users.
The user clicks a link in the email, which directs the user to an actor owned server
Initial payload (ZIP file with LNK file) downloaded from Google infrastructure.
Multiple tiers of obfuscation implemented before LoLBins (ExtExport/Bitsadmin) used to further infection.
Extensive anti-analysis/evasion checks done before Astaroth payload delivered.
Encoded and encrypted C2 domains pulled from YouTube channel descriptions.
So what?
Astaroth is another example of the level of sophistication crimeware is consistently achieving.
This level of anti-analysis/evasion should be noted, as the likelihood of this spreading ..
Support the originator by clicking the read the rest link below.
