The Astaroth infosteeler was first noticed by specialists in 2018. For example, company analysts talked about malvari Ibm and Cofense. Then, as now, Astaroth attacked mainly users from Brazil (less often in Europe) and involved various legitimate solutions, for example, exploited a command line interface WMIC to secretly download and install malicious payloads.
Since then, Astaroth has turned into one of the most complex and secretive types of malware: the infostiller uses many anti-analytical and anti-sandbox mechanics, which makes it very difficult to detect the malware and study its operations.
In a new report, Published this week by Cisco Talos experts, Astaroth is reported to continue to evolve. Trojan still relies on email spam and fileless attacks (LOLbins) to spread the trojan, but it also received two important updates.
The first of these was the aforementioned large selection of anti-analytical and anti-sandbox mechanics. So, the malware performs various checks before performing it to make sure it works on a real computer, and in the sandbox, where information security researchers can study it. This helps Astaroth hide their payloads and go unnoticed.
"Astaroth is secretive in nature, the developers did everything possible to ensure its successful operation," experts say Cisco Talos. – They introduced (in Astaroth) a confused labyrinth consisting of anti-analytic and anti-sandbox checks designed to prevent detection or analysis of malvari. It all starts with effective and efficient baits, continues with numerous layers of obfuscation, and this even before (Astaroth) demonstrates any malicious intent. Then comes a series of thorough checks in search of various tools and techniques that can be used by both researchers and secure environments like sandboxes. This malware is very difficult to analyze because of its nature. "
However, the developers of the trojan were not limited to the obstacles described above. So, after the last update, Astaroth began to use channel descriptions on YouTube to hide the URLs of its control servers from prying eyes.
Researchers explain that after a trojan has infected a victim’s car, it connects to a special YouTube channel and accesses the description field of that channel. The field contains encrypted and base64 encoded text with the URLs of the management servers. Having decrypted the data, Astaroth connects to these URLs in order to receive new commands from its operators and give them the stolen information.
Previously, similar tactics have already been exploited by the authors of the malvari Janicab (in 2015), as well as the operators of the Stantinko botnet (in 2019). But with Astaroth, this way of hiding URLs is just one of three methods that the malware uses to discover and connect to its C&C servers. According to Cisco Talos analysts, this once again demonstrates the high complexity of Astaroth compared to other malicious campaigns.