The information stealer Astaroth, was first widely detected in 2018 when Cofense™ Phishing Defense Center (PDC) reported dozens of hits across its customer base, and in just one week, about 8,000 machines were potentially compromised.
In 2019, Microsoft published a report which describes Astaroth as a fileless malware that completely “lived off the land”. This further means that the malware runs its attack payload directly in memory or leverage legitimate system tools to run malicious code without having to drop executable files on the disk, which present challenges to traditional file-based solutions.
Since then, the malware has maintained a history of targeting Brazil with series of lures, including COVID-19 and Cadastro de Pessoas Físicas status.
While cybersecurity teams are devising means to spot and avoid Astaroth, the author(s) or actors have continuously made the infostealer malware stay ahead of multiple check-points, and advanced to avoid automated analysis environments, as well as malware analysts that may be debugging them.
“The dropper used sophisticated techniques and many layers of obfuscation and evasion before even delivering the final malicious payload. There’s another series of checks once the payload is delivered to ensure, with reasonable certainty, that the payload was only executed on systems located in Brazil and not that of a researcher or some other piece of security technology, most notably sandboxes,” Talos said in its report.
The malware is typically distributed through malicious mails, using campaigns that lures users to click its link. Some noted distribution tactics include purporting to be an overdue invoice for a car rental website, masquerading to be the Ministry of Health for Brazil – providing updates to citizens on the combat of COVID-19 outbreak, and other luring contents.
How Astaroth uses Youtube
Results from Talos analysis further shows that Astaroth maintains a redundant Command and control (C2) mechanism with both primary and secondary C2 infrastructure.
As reported, the malware primarily communicates with its C2 servers through the retrieval of C2 domains from Youtube channel descriptions. The author(s) or actors have created a lot of YouTube channels for this purpose, providing a list of C2 domains the nodes in the botnet should communicate with to obtain additional instructions and updates.
Below is an example of Astaroth C2 Youtube channel, which contains a list of encrypted and base64 encoded C2 domains:
While the malware is leveraging a platform (Youtube) that is commonly allowed in corporate environments, the analysts also noticed that the channel description data change periodically.
As a resilient malware, Astaroth further features a failback C2 mechanism for situations where the YouTube communications may fail – configured to use an alternative URL.