September 16, 2019 By David Bisson 2 min read

The Astaroth Trojan used Facebook and YouTube profiles to support its infection chain in a new phishing campaign targeting Brazilian users.

First observed by Cofense, the phishing emails, which were written in Portuguese, masqueraded as one of three items: an invoice, a show ticket or a civil lawsuit notice. In each case, the email messages lured users into opening an .htm file to initiate the infection chain. Users who did so unknowingly downloaded a .ZIP archive that was geofenced to Brazil and contained a malicious .LNK file.

Upon running the .LNK file, the campaign downloaded JavaScript code from a Cloudflare Workers domain. The JavaScript snippet then pulled down multiple elements used to execute a sample of the Astaroth Trojan.

In this campaign, Astaroth used YouTube and Facebook profiles to host and maintain configuration data for its command-and-control (C&C) infrastructure. This information took the form of data contained within posts on a Facebook profile or within profile information for certain YouTube users. Through this technique, the attackers were able to bypass traditional security tools and collect sensitive data, such as financial information and stored passwords.

Astaroth’s Recent Activity

In September 2018, Cofense discovered a resurgence of Astaroth in which the Trojan potentially compromised as many as 8,000 machines in the span of one week. A few months later, Cybereason spotted a new variant of the malware abusing native operating system (OS) processes and exploiting security products to infect users in Brazil.

Then, in July, the Microsoft Defender ATP Research Team spotted a fileless malware campaign dropping Astaroth into memory.

How to Break an Infection Chain Initiated by Phishing

To help defend against infection chains initiated by phishing attacks, security teams should consider adopting a layered approach to email security that incorporates mail scanning, spam monitoring and other security measures. Companies should also practice ahead-of-threat detection to spot potentially malicious domains before they become active in phishing campaigns and other digital attacks.

More from

Risk, reward and reality: Has enterprise perception of the public cloud changed?

4 min read - Public clouds now form the bulk of enterprise IT environments. According to 2024 Statista data, 73% of enterprises use a hybrid cloud model, 14% use multiple public clouds and 10% use a single public cloud solution. Multiple and single private clouds make up the remaining 3%.With enterprises historically reticent to adopt public clouds, adoption data seems to indicate a shift in perception. Perhaps enterprise efforts have finally moved away from reducing risk to prioritizing the potential rewards of public cloud…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Is AI saving jobs… or taking them?

4 min read - Artificial intelligence (AI) is coming to take your cybersecurity job. Or, AI will save your job. Well, which is it? As with all things security-related, AI-related and employment-related, it's complicated. How AI creates jobs A major reason it's complicated is that AI is helping to increase the demand for cybersecurity professionals in two broad ways. First, malicious actors use AI to get past security defenses and raise the overall risk of data breaches. The bad guys can increasingly use AI-based…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today