Astaroth infostealer just got better! It upgraded its obfuscation and anti-analysis tactics. These tactics ensure that the infostealer evades detection. According to researchers, this malware is “painful to analyze”.
What is happening
Astaroth was discovered to be the main component of a spear-phishing campaign, targeting Brazilians, over the last nine months. The infostealer has been found to be modified and updated at an alarming rate. The malware evades detection by implementing a complicated labyrinth of anti-sandbox and anti-analysis checks.
The wider view
Astaroth is spreading to Brazilian users via thousands of phishing emails, all written in Portuguese. The lures include emails pretending to be from the Ministry of Health for Brazil for the COVID-19 pandemic or the status of the victims’ Cadastro de Pessoas Fisicas.
During the download, the malware performs several checks to identify if the execution is in an analysis or virtual environment.
YouTube channels have been established by the attackers and the channel descriptions are being used to communicate a list of C&C servers.
What the experts are saying
Researchers have stated that the malware is evasive by nature and its creators have gone the whole nine yards to ensure its success.
According to a report by Cybereason, the malware disguises itself as GIF, JPEG, and other extension-less files to evade detection.
The attack chain is made stealthier through abusing Alternate Data Streams and a legitimate process - ExtExport.exe.
The Astaroth Trojan spam campaign is used to steal passwords and personal credentials from Brazilian users. Currently, it only actively exists in Brazil, and unleashing it on a global scale would wreak irreparable damage. Astaroth always stays ahead of its competitors by changing infrastructure at periodic intervals.