SBN

Astaroth Trojan Resurfaces, Targets Brazil through Fileless Campaign

During routine detection
monitoring from our Advanced Threat Control technology, Bitdefender researchers
found an interesting spike in malware activity that involved using Microsoft
binaries in the infection process, as well as GitHub and Google Drive for
delivering payloads. After analyzing the detection details, we identified this
activity as a resurgence of the Astaroth spyware, a Trojan and information
stealer known since late 2017.

What sets this Astaroth campaign
apart is the use of native Microsoft tools – commonly known as “living off the
land” – to avoid detection by traditional security solutions, as well as the
fact that it specifically targets Brazil by checking for a Brazilian location and
a Portuguese-language keyboard before activating. Bitdefender telemetry shows
that 92.61 percent of users targeted by
this May 2019 Astaroth campaign are in Brazil.

Astaroth logs keystrokes only
when a victim uses Internet Explorer (IE) and browses to specific Brazilian
banks or businesses, and will even terminate Chrome or Firefox executables to
make sure the victim uses IE. Our investigation also revealed that threat actors
seem to use multiple versions of the same malware and host them on multiple
websites.

Key Findings:

  • Astaroth distribution via legitimate online services (GitHub, Google Drive)
  • Campaign specifically targets Brazilian users (92.61 percent) by checking for a Brazilian locale and a Portuguese-language keyboard before activating
  • Uses fileless techniques and native Microsoft tools to hide from traditional security solutions
  • Threat actors use multiple version of the same malware, each hosted on a large number of websites
  • Logs keystrokes only on Internet Explorer and browses to specific Brazilian banks or business

For a more detailed technical analysis, please check out the technical paper below:


*** This is a Security Bloggers Network syndicated blog from Bitdefender Labs authored by Liviu Arsene. Read the original post at: https://labs.bitdefender.com/2019/07/astaroth-trojan-resurfaces-targets-brazil-through-fileless-campaign/