[MART] - Daily Diary #626 - Meet Astaroth, a Banking Remote Access Trojan

ctas-mat at appgate.com ctas-mat at appgate.com
Fri Nov 18 21:43:48 UTC 2022


Hello,

I hope everyone is doing well!

Below is the entry for today.

11/18/2022 - Diary entry #626:

Astaroth (also known as Guildma and Lucifer) is a Brazilian Banking Remote Access Trojan first documented in 2017, but it was created many years before that. Astaroth is one of the most active banking malware families in Latin America, targeting victims in Brazil, Chile, Uruguay, Peru, Ecuador, and Colombia, and expanding to other locations such as China, Europe, and North America.

Early this week, our team analyzed a recent set of samples that were collected from an attack against one of our clients. As soon as the victim infects itself with Astaroth’s downloader (usually by executing a .bat script, a .lnk shortcut file, or an MSI file), it drops the next-stage malware in a folder along with several files. The malicious payload is executed using AutoIt.exe, a legit freeware scripting language designed for automating Windows GUI and general scripting. This compiled AutoIt script is responsible for unpacking the final payload code and executing it using the Process Hollowing technique – which injects the code into the svchost.exe process.

Once executed, the final stage payload (a Delphi-compiled executable) checks for installed Anti Virus programs and steals Browser data (from Firefox, Chrome, and Edge folders), sending them to the attacker’s C2. The executable has several anti-debugging, anti-sandbox, and anti-analysis techniques such as encrypting all of its strings using a custom algorithm, checking if its process is being hooked, or if any analysis tools are being executed. Once any analysis behavior is detected, it runs a command line to force the system to shut down.

When the victim opens the browser and visits any page that matches Astaroth’s target list, it starts a remote connection to the attacker's C2, allowing the malware operator to control the victim’s machine. To perform fraud, they use social engineering while controlling the machine, inserting overlay images that ask for the victim’s password/token. The list of targeted financial organizations is huge, including but not limited to many Brazilian banks and Cryptocurrency exchanges such as Binance and Coinbase.

The sophistication of the attacks allows Astaroth’s operators to quickly launch new campaigns causing new victims to lose money or to have their browser data stolen and leveraged on further attacks.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



MART

Malware Analysis and Research Team
Appgate

E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20221118/b25f2fe9/attachment.htm>


More information about the MART mailing list