Full Report
Astaroth is an advanced phishing kit using real-time credential and session cookie capture to compromise Gmail, Yahoo and Office 365 accounts
Analysis Summary
# Tool/Technique: Astaroth Phishing Kit
## Overview
Astaroth is a sophisticated new phishing tool kit, first advertised in January 2025, designed to compromise user accounts by capturing credentials, 2FA tokens, and session cookies in real-time to facilitate session hijacking.
## Technical Details
- Type: Phishing Kit / Framework
- Platform: Targets web applications/services (e.g., Gmail, Yahoo, Office 365) via reverse proxy on the victim's machine interaction.
- Capabilities: Near real-time interception of credentials and 2FA tokens; session cookie theft; operation via a reverse proxy structure similar to evilginx.
- First Seen: January 2025
## MITRE ATT&CK Mapping
*Note: As a phishing tool focused on interception and session takeover, the primary mappings fall under Initial Access and Credential Access tactics.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Less likely for this kit, but general component)
- T1566.002 - Spearphishing Link (Most likely delivery vector)
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores (Indirectly, by capturing tokens/cookies which act as credentials)
- **TA0007 - Discovery** (Implied need to locate targets, but kit functionality is focused on credential theft)
## Functionality
### Core Capabilities
- Real-time interception of data entered by the user into the proxied login page (username, password).
- Real-time interception of one-time passcodes (OTPs) generated by 2FA systems.
- Captures session cookies generated after successful authentication steps.
- Mimics legitimate login pages using an evilginx-style reverse proxy setup.
### Advanced Features
- **Session Hijacking:** The primary advanced feature is using the captured session cookies to hijack the legitimate, authenticated user session directly, bypassing subsequent security checks.
- **Dynamic Token Forwards:** The kit dynamically forwards 2FA tokens in real-time, allowing the attacker to complete the authentication process immediately.
## Indicators of Compromise
The provided article focuses on the *functionality* of the kit rather than providing specific IOCs from discovered incidents.
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text]
- Registry Keys: [Not provided in the text]
- Network Indicators: [Not provided in the text, but the mechanism relies on C2 communication for the reverse proxy setup]
- Behavioral Indicators: Establishing a reverse proxy connection between the victim and the legitimate service provider; real-time relay of authentication data.
## Associated Threat Actors
- Threat actors operating on cybercrime platforms who purchase or utilize phishing kits.
- [Specific groups not named in the provided text]
## Detection Methods
Specific signature detection is difficult for phishing kits, but behavioral analysis is key.
- Signature-based detection: [Not explicitly mentioned]
- Behavioral detection: Monitoring for connections attempting to proxy or chain connections to major service providers (e.g., Office 365, Gmail) through unexpected intermediary hosts. Analyzing session creation patterns post-authentication.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- Prevention measures: Using hardware security keys (FIDO2/WebAuthn) which are resistant to standard session hijacking/token interception techniques used by reverse proxies.
- Hardening recommendations: Monitoring for anomalies related to session token usage immediately following login. Utilizing device trust and conditional access policies.
## Related Tools/Techniques
- evilginx (The technique is explicitly described as "evilginx-style" reverse proxy)
- Adversary-in-the-Middle (AiTM) phishing frameworks