Cofense experts uncovered a new variant of the Astaroth Trojan that uses Facebook and YouTube in the infection process.
Researchers at Cofense have uncovered a phishing campaign targeting Brazilian citizens with the AstarothTrojan that uses Facebook and YouTube in the infection process.
The attach chain appears to be very complex and starts with phishing messages that come with an .htm file attached. At each step of the infection process, threat actors leverage trusted sources and the interaction of the end-user. At every turn in the infection chain, the malware uses legitimate services to evade detection.
“Cofense Intelligence™ has identified a phishing campaign targeting Brazilian citizens with the Astaroth Trojan in which Facebook and YouTube profiles are used in support of the infection.” reads the analysis published by Cofense.” There are numerous stages within this infection chain that could have been stopped with properly layered defenses on the email and network security stack. However, at each step of the infection, this campaign uses trusted sources and the end user to help advance to the next stage, ultimately leading to an eventual exfiltration of sensitive information.”
The Astaroth Trojan was first spotted by security firm Cofense in late 2018 when it was involved in a campaign targeting Europe and Brazil. The malware abused living-off-the-land binaries (LOLbins) such as the command line interface of the Windows Management Instrumentation Console (WMIC) to download and install malicious payloads in the background. According to the experts, LOLbins are very effecting in evading antivirus software.
In the recent campaign, the experts observed three differed kind of emails written in Portuguese used in this phishing campaign, one using an invoice theme, another with show ticket theme and a third one using civil lawsuit theme.
Among the files downloaded in the infection process there are two .DLL files that are joined together into a legitimate program named ‘C:\Program Files\Internet Explorer\ExtExport.exe.’
The use of a legitimate program to run the malicious code resulting from the union of the two DLLs downloaded from a trusted source allows bypassing security measures.
The experts noticed that the Astaroth Trojan involved in this campaign uses YouTube and Facebook profiles to host and maintain the C2 configuration data.
The C2 data are encoded in base64 format as well as custom encrypted, attackers inserted them within posts on Facebook or the profile information about user accounts on YouTube. This trick allows the attackers to bypass content filtering and other network security measures.
“The threat actors are also able to dynamically change the content within these trusted sources so they can deter the possibility of their infrastructure being taken down.” continues the researchers.
The Astaroth storage is able to steal sensitive information, including financial information, stored passwords in the browser, email client credentials, SSH credentials. The information gathered by the malware is encrypted with two layers of encryption and sent via HTTPS POST to a site from the C2 list, experts noticed that most of the sites are hosted on Appspot.
This phishing campaign exclusively targets Brazilians, the experts noticed that the initial .ZIP archive geo-fenced to Brazil.
However, experts warn that attackers could expand their activities to other countries using similar tactics.