silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,210
Full report by Cisco Talos:Over the past year, the Astaroth infostealer trojan has evolved into one of today's stealthiest malware strains, containing a slew of anti-analysis and anti-sandbox checks to prevent security researchers from detecting and analyzing its operations.
Luckily, all these innovations are only used to target and infect users in one country alone -- namely Brazil.The malware has historically targeted Brazilian users ever since it was first spotted in the wild in September 2018. [....]
In a new report published yesterday, Cisco Talos says that Astaroth has continued to evolve. The trojan still relies on email campaigns for distribution, fileless execution, and living off the land (LOLbins), but it has also gained two new major updates.
The first of these is a new and quite large collection of anti-analysis and anti-sandbox checks. The malware runs these checks before it executes to make sure it runs on a real computer, and not inside a sandbox environment, where it could be analyzed by security researchers. [....]
Following its most recent update, Astaroth now uses YouTube channel descriptions to hide the URL for its command and control (C2) servers. According to Talos, after Astaroth infects a victim, the trojan connects to a YouTube channel, from where it retrieves the channel description field.
The field contains encrypted and base64-encoded text with the URLs of its command and control server. After decoding the text, Astaroth connects to these URLs to receive new instructions and to send stolen information for future storage. [....]
Threat Spotlight: Astaroth — Maze of obfuscation and evasion reveals dark stealer
By Nick Biasini, Edmund Brumaghin and Nick Lister. * Cisco Talos is detailing an information stealer, Astaroth, that has been targeting Brazil with a variety of lures, including COVID-19 for the past nine to 12 months. * Complex maze of obfuscation and anti-analysis/evasion techniques...
blog.talosintelligence.com
Last edited: