The operators of the Astaroth infostealer have implemented several new tactics aimed at evading detection, which researchers say have made the malware “painful to analyze.”
Astaroth first emerged in 2017, but has steadily been used over the years in increasingly sophisticated campaigns aimed at exfiltrating sensitive data. In September, for instance, researchers with Cofense warned that the trojan was being spread via phishing emails, and was using normally trusted sources as a cover for malicious activities to evading usually effective network security layers.
More recent analysis of the infostealer has now emerged, after it was discovered at the heart of a spear-phishing campaign targeting Brazilians over the past nine months. The newest Astaroth samples show that the malware family is being updated and modified “at an alarming rate,” according to Cisco Talos researchers.
“Astaroth is evasive by nature and its authors have taken every step to ensure its success,” researchers Nick Biasini, Edmund Brumaghin and Nick Lister said in a Monday analysis. “They have implemented a complex maze of anti-analysis and anti-sandbox checks to prevent the malware from being detected or analyzed. Starting with effective and impactful lures, to layer after layer of obfuscation, all before any malicious intent was ever exposed.”
The Lures
The most recent campaign is spreading Astaroth to Brazilian users in thousands of emails, written in Portuguese. Over the last six to eight months, these actors have leveraged a variety of different lures touching on several different topics, including the coronavirus pandemic (in messages pretending to be from the Ministry of Health for Brazil), or the status of victims’ Cadastro de Pessoas Físicas, a vital document in Brazil similar to Social Security cards in the United States.
Example of spear phishing email. (Credit: Cisco Talos)
The emails convince victims to click a link, which then downloads a .ZIP file that acts as a dropper for a malicious Microsoft Windows shortcut .LNK file. This file then kicks off a complex infection process. The .LNK file contains batch commands that, when executed, create a heavily obfuscated JScript file. The de-obfuscated Jscript file reveals a robust downloader, which checks for a third-stage malware payload (“sqlite3.dll”). If the downloader successfully finds sqlite3.dll, it eventually downloads Astaroth, used to steal sensitive information from various applications running on infected systems.
Anti-Analysis
Astaroth’s infection process and subsequent payload implements a robust series of anti-analysis techniques. During the infection process, for instance, the JScript uses of various layers of obfuscation to make analysis more difficult, including CharCode replacement being used throughout the script.
“The script is effectively taking the decimal representation of ASCII characters, converting them, and concatenating the result to create a string containing the command-line syntax necessary for the Windows Command Processor to execute them,” explained researchers.
During download, Astaroth also performs various environmental checks in an attempt to identify if the malware is being executed in a virtual or analysis environment, including sniffing out virtual machine (VM) indicators, sandboxes, debugging tools for Windows and more. If any of the checks fail, the malware forcibly reboots the system.
The malware goes above and beyond in ensuring anti-analysis, including leveraging CreateToolhelp32Snapshot (a legitimate Windows function allowing users to take screenshots of their systems) to identify virtual machine guest additions that may be installed on the system (specifically those associated with both VirtualBox and VMware). The malware also looks for the presence of hardware devices that are commonly seen on virtual machines, as well as applications commonly used for malware detections (such as Wireshark, Autoruns, Process Hacker, ImportREC and more).
“The threat actors behind these campaigns were so concerned with evasion they didn’t include just one or two anti-analysis checks, but dozens of checks, including those rarely seen in most commodity malware,” said researchers. “This type of campaign highlights the level of sophistication that some financially motivated actors have achieved in the past few years.”
Finally, similar to previous Astaroth campaigns, the attackers have established a series of YouTube channels and are leveraging the channel descriptions to establish and communicate a list of command-and-control (C2) domains that the nodes in the botnet should communicate with to obtain additional instructions and updates.
“As a final layer of sophistication, the adversaries have gone so far as to leverage a widely available and innocuous service like YouTube to hide its command-and-control infrastructure in both an encrypted and Base64-encoded stream,” said researchers.
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.
