Light Dark
September 16, 2019 By David Bisson 2 min read

The Astaroth Trojan used Facebook and YouTube profiles to support its infection chain in a new phishing campaign targeting Brazilian users.

First observed by Cofense, the phishing emails, which were written in Portuguese, masqueraded as one of three items: an invoice, a show ticket or a civil lawsuit notice. In each case, the email messages lured users into opening an .htm file to initiate the infection chain. Users who did so unknowingly downloaded a .ZIP archive that was geofenced to Brazil and contained a malicious .LNK file.

Upon running the .LNK file, the campaign downloaded JavaScript code from a Cloudflare Workers domain. The JavaScript snippet then pulled down multiple elements used to execute a sample of the Astaroth Trojan.

In this campaign, Astaroth used YouTube and Facebook profiles to host and maintain configuration data for its command-and-control (C&C) infrastructure. This information took the form of data contained within posts on a Facebook profile or within profile information for certain YouTube users. Through this technique, the attackers were able to bypass traditional security tools and collect sensitive data, such as financial information and stored passwords.

Astaroth’s Recent Activity

In September 2018, Cofense discovered a resurgence of Astaroth in which the Trojan potentially compromised as many as 8,000 machines in the span of one week. A few months later, Cybereason spotted a new variant of the malware abusing native operating system (OS) processes and exploiting security products to infect users in Brazil.

Then, in July, the Microsoft Defender ATP Research Team spotted a fileless malware campaign dropping Astaroth into memory.

How to Break an Infection Chain Initiated by Phishing

To help defend against infection chains initiated by phishing attacks, security teams should consider adopting a layered approach to email security that incorporates mail scanning, spam monitoring and other security measures. Companies should also practice ahead-of-threat detection to spot potentially malicious domains before they become active in phishing campaigns and other digital attacks.

 |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

July 26, 2024

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

July 24, 2024

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature