Over the past year, the Astaroth infostealer trojan has evolved into one of today's stealthiest malware strains, containing a slew of anti-analysis and anti-sandbox checks to prevent security researchers from detecting and analyzing its operations.
Luckily, all these innovations are only used to target and infect users in one country alone -- namely Brazil.The malware has historically targeted Brazilian users ever since it was first spotted in the wild in September 2018. [....]
In a new report published yesterday, Cisco Talos says that Astaroth has continued to evolve. The trojan still relies on email campaigns for distribution, fileless execution, and living off the land (LOLbins), but it has also gained two new major updates.
The first of these is a new and quite large collection of anti-analysis and anti-sandbox checks. The malware runs these checks before it executes to make sure it runs on a real computer, and not inside a sandbox environment, where it could be analyzed by security researchers. [....]
Following its most recent update, Astaroth now uses YouTube channel descriptions to hide the URL for its command and control (C2) servers. According to Talos, after Astaroth infects a victim, the trojan connects to a YouTube channel, from where it retrieves the channel description field.
The field contains encrypted and base64-encoded text with the URLs of its command and control server. After decoding the text, Astaroth connects to these URLs to receive new instructions and to send stolen information for future storage. [....]
blog.talosintelligence.com
