Astaroth Banking Trojan resurfaces with new trick
Astaroth Banking Trojan now uses a code hosting platform as backup. This lets it recover when takedown teams remove its servers. Therefore, the malware can stay active after infrastructure disruption. Researchers reported the tactic in a recent analysis.
However, the campaign still relies on classic phishing. For example, attackers send a document-themed email with a malicious archive link. When the victim opens the shortcut file, the infection chain begins. The attackers thus avoid direct server dependence.
Attack chain and delivery method
The attack starts with a document-service themed email lure. The email contains a zipped shortcut file. When the user opens it, obfuscated script runs and fetches follow-up code.
Next, the script downloads an automation script and executes shellcode. Then, the shellcode loads a DLL loader to inject the trojan into a running system process. Therefore, the malware activates quietly and gains persistence.
How Astaroth hides configuration on platforms
When its primary command servers go offline, the trojan pulls new configs from a public code hosting platform. The attackers hide configuration data inside images on that platform. For example, they use steganography to conceal instructions in image files.
As a result, defenders must search common platform traffic for hidden data. However, the use of legitimate hosting makes takedowns harder. Therefore, the campaign becomes more resilient and stealthy.
Capabilities and targets
Astaroth monitors active browser windows to spot banking pages. When it detects a financial or crypto page, it logs keystrokes to capture credentials. It also exfiltrates data through a reverse proxy service.
Moreover, the malware resists analysis and stops if it finds debugging tools or emulators. For persistence, it drops a startup shortcut that relaunches on reboot. Therefore, the infection survives reboots and avoids simple cleanup.
Geographic focus and prior campaigns
Researchers observed most activity in one Latin American country. However, analysts note infections in other nearby countries as well. Previously, similar campaigns used phishing clusters to deliver the same trojan. Therefore, attackers return to proven distribution methods.
How to prevent and respond
To reduce this risk, implement strong email filtering and automated detection for malicious archives. Also, deploy endpoint monitoring that flags unusual script downloads and startup modifications. For added protection, use managed continuous threat monitoring and automated incident response. These services detect hidden data in hosted files and block unauthorized configuration pulls. Finally, train staff to treat unexpected document links with caution.
Sleep well, we got you covered.
