Full Report
Cybersecurity researchers are calling attention to a new campaign that delivers the Astaroth banking trojan that employs GitHub as a backbone for its operations to stay resilient in the face of infrastructure takedowns. "Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware
Analysis Summary
# Tool/Technique: Astaroth Banking Trojan
## Overview
Astaroth is a Delphi-based banking trojan primarily targeting users in Brazil and other Latin American countries. Its notable feature in recent campaigns is the abuse of GitHub repositories to host configuration files, making the malware resilient to infrastructure takedowns by allowing it to pull updated settings if primary Command and Control (C2) infrastructure fails.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Windows
- Capabilities: Credential theft (keylogging), resilience via GitHub hosting, anti-analysis measures, process injection.
- First Seen: Not explicitly listed, but previous activity was noted in July and October 2024.
## MITRE ATT&CK Mapping
*Note: Mappings are based on described behavior.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Initial delivery via embedded link/shortcut)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Usage of obfuscated JavaScript)
- T1055 - Process Injection
- T1055.001 - Process Injection: Dynamic-link Library Injection (Injecting DLL into RegSvc.exe)
- T1622 - Indicator Removal on Host (Implied by anti-analysis features)
- **TA0003 - Persistence**
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder (Dropping an LNK file in the Startup folder)
- **TA0006 - Credential Access**
- T1056 - Input Capture
- T1056.001 - Input Capture: Keylogging (Hooking keyboard events when banking/crypto sites are open)
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer (Pulling configuration/scripts from external servers)
## Functionality
### Core Capabilities
- **Credential Theft:** Monitors for visits to banking or cryptocurrency websites (e.g., caixa.gov[.]br, itau.com[.]br, binance[.]com, metamask[.]io) and uses keylogging to steal credentials via keyboard event hooking.
- **Execution Chain:** Initial access uses a DocuSign-themed phishing email leading to a Windows Shortcut (.lnk) file. This file executes obfuscated JavaScript, which fetches more JavaScript. This secondary script downloads and executes an AutoIt script, which loads shellcode, ultimately loading and injecting a Delphi-based DLL into a newly created `RegSvc.exe` process.
- **Persistence:** Sets persistence by placing an LNK file in the Windows Startup folder to launch the associated AutoIT script upon reboot.
### Advanced Features
- **GitHub-based Resilience:** Leverages GitHub repositories, housing configuration files as hidden images using steganography, to ensure operational continuity if primary C2 servers are seized.
- **Anti-Analysis/Anti-Debugging:** Actively checks for and terminates operations if it detects analysis tools such as QEMU Guest Agent, HookExplorer, IDA Pro, ImmunityDebugger, PE Tools, WinDbg, and Wireshark.
- **Geolocation/Locale Checks:** Verifies that the machine's system locale is not set to English or U.S., and the initial URL access is geofenced.
- **Data Exfiltration:** Transmits stolen information to attackers using the Ngrok reverse proxy.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: `RegSvc.exe` (target process for injection), `.lnk` files (initial dropper)
- Registry Keys: [Not provided in context, but persistence utilizes Startup folder]
- Network Indicators: Ngrok reverse proxy utilized for exfiltration; configuration hosted on GitHub repositories (removed post-detection).
- Behavioral Indicators: Checking active browser windows every second for banking/crypto URLs; hooking keyboard events; attempting to detect virtualization/debugging environments.
## Associated Threat Actors
- Unknown/Unspecified, although previous campaigns involving Astaroth were associated with clusters dubbed PINEAPPLE and Water Makara in 2024.
## Detection Methods
- Signature-based detection: Targeting known Astaroth file hashes or YARA rules targeting the Delphi code structure.
- Behavioral detection: Monitoring the execution chain—specifically the `.lnk` file launching obfuscated JavaScript, subsequent AutoIt execution, shellcode loading, and injection into legitimate-sounding processes like `RegSvc.exe`. Monitoring for connections utilizing Ngrok for outbound traffic from suspicious processes.
- YARA rules: [Not provided in context]
## Mitigation Strategies
- **Email Security:** Enhanced filtering for phishing emails, especially those impersonating DocuSign, designed to drop LNK files.
- **Endpoint Protection:** Deploying advanced endpoint detection and response (EDR) capable of detecting process injection (e.g., into `RegSvc.exe`) and anti-analysis checks.
- **Network Monitoring:** Blocking or flagging traffic to known Ngrok endpoints used for exfiltration if the source is unexpected.
- **System Configuration:** Restricting execution permissions for JavaScript files originating from atypical sources; ensuring systems are not configured with English/US locales if targeting South American operations.
- **GitHub Monitoring:** Alerting on suspicious file hosting activities within GitHub repositories that might indicate use as resilient C2 infrastructure.
## Related Tools/Techniques
- Previous Astaroth campaigns (July/October 2024).
- Other malware utilizing legitimate cloud services (like GitHub or Pastebin) for resilience.